This article provides information on how to create a site-to-site Route-based or Policy-based VPN between an SRX device and a remote end-site, where the remote end-site has a dynamic IP address and the SRX device has a static IP address.

The objective is to establish a site-to-site Route-based or Policy-based VPN between the SRX device and the Remote firewall, where the remote site has a dynamic IP address.

The topology is as follows:

                             1.1.1.1                                         IKE-ID=host1.example.com

(PC-A) --------[SRX]---------------ISP--------------------------[FIREWALL]--------(PC-B)

                         STATIC IP                                         DYNAMIC IP

One of the peers in the VPN setup is using a dynamic IP address (in this case, a remote firewall), so Aggressive mode is used.

Main mode is used in the VPN when both sites have a static IP address.

The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) is used as IKE-IDENTITY in the IKE gateway configuration.

Configuration on the SRX device

[edit security ike]
root@SRX100-1# show | no-more
proposal ike-proposal1 {
     authentication-method pre-shared-keys;
     dh-group group2;
     authentication-algorithm sha1;
     encryption-algorithm 3des-cbc;
}
policy ike-policy1 {
     mode aggressive;
     proposals ike-proposal1;
     pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway ike-gateway1 {
     ike-policy ike-policy1;
     dynamic hostname host1.example.com
     external-interface ge-0/0/0.0;
}

The remote-end firewall must be set with the IKE-ID as host1.example.com.

The rest of the configuration for VPN should be similar to configuring Phase 2 of IPSec VPN.

For configuring the same, follow the links:

For route-based VPN: TN108.

For policy-based VPN: TN107.

2019-09-27: Minor, non-technical update.
2020-02-27: minor non-technical edits.