This article provides information on how to create a site-to-site Route-based or Policy-based VPN between an SRX device and a remote end-site, where the remote end-site has a dynamic IP address and the SRX device has a static IP address.
The objective is to establish a site-to-site Route-based or Policy-based VPN between the SRX device and the Remote firewall, where the remote site has a dynamic IP address.
The topology is as follows:
1.1.1.1 IKE-ID=host1.example.com
(PC-A) --------[SRX]---------------ISP--------------------------[FIREWALL]--------(PC-B)
STATIC IP DYNAMIC IP
One of the peers in the VPN setup is using a dynamic IP address (in this case, a remote firewall), so Aggressive mode is used.
Main mode is used in the VPN when both sites have a static IP address.
The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) is used as IKE-IDENTITY in the IKE gateway configuration.
Configuration on the SRX device
[edit security ike]
root@SRX100-1# show | no-more
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
}
policy ike-policy1 {
mode aggressive;
proposals ike-proposal1;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway ike-gateway1 {
ike-policy ike-policy1;
dynamic hostname host1.example.com
external-interface ge-0/0/0.0;
}
The remote-end firewall must be set with the IKE-ID as host1.example.com
.
The rest of the configuration for VPN should be similar to configuring Phase 2 of IPSec VPN.
For configuring the same, follow the links:
For route-based VPN: TN108.
For policy-based VPN: TN107.
2019-09-27: Minor, non-technical update.
2020-02-27: minor non-technical edits.