This article provides information on how to configure Junos Pulse to connect via Dynamic VPN to an SRX device, which is behind a Static 1-to-1 NAT device.
- Junos Pulse is connecting to SRX via Dynamic VPN.
- SRX is the responder, which sits behind a device, is performing 1-to-1 Static NAT.
Topology:
JUNOS Pulse ----- Internet ------ Static NAT Device ---- SRX Device
1 to 1 NAT
Dynamic VPN to an SRX device, which is behind a router/switch device and performing 1 to 1 Static NAT, will fail IPSec negotiations with Junos below 11.4R1.
Beginning with Junos 11.4R1, Dynamic-VPN to an SRX device behind a Static NAT device is supported. This requires a
local-id configuration on the SRX IKE responder.
Topology:
JUNOS Pulse ----- Internet ------ Static NAT Device ----------- SRX Device
1 to 1 NAT
172.22.145.34 172.22.145.33 172.16.10.2
In this example, the SRX device has the external-interface as
172.16.10.2. On the static NAT device, it is NAT'ing
172.16.10.2 as the
172.22.145.33 IP address. The required IKE configuration is:
root@SRX220# show security ike
policy ike-dyn-vpn-policy {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 10;
ike-user-type group-ike-id;
}
local-identity inet 172.22.145.33;
external-interface ge-0/0/0.0;
xauth access-profile dyn-vpn-access-profile;
}
Notice that the local-identity is specified as the external public IP address, which the external-interface is advertised as out to the Pulse client. The pulse client will point its connection to the
172.22.145.33 NAT'd IP address.
Note: This procedure is different than the one listed in the documentation. It refers to a site-to-site VPN configuration, in which the SRX responder is behind a 1-to-1 static NAT device.