Knowledge Search


[SRX] Configure site-to-site IPsec VPN, where remote site has dynamic IP address and SRX has static IP address

  [KB28077] Show Article Properties


This article provides information on how to create a site-to-site Route-based or Policy-based VPN between an SRX device and a remote end-site, where the remote end-site has a dynamic IP address and the SRX device has a static IP address.


The objective is to establish a site-to-site Route-based or Policy-based VPN between the SRX device and the Remote firewall, where the remote site has a dynamic IP address.

The topology is as follows:


(PC-A) --------[SRX]---------------ISP--------------------------[FIREWALL]--------(PC-B)

                         STATIC IP                                         DYNAMIC IP


One of the peers in the VPN setup is using a dynamic IP address (in this case, a remote firewall), so Aggressive mode is used.

Main mode is used in the VPN when both sites have a static IP address.

The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) is used as IKE-IDENTITY in the IKE gateway configuration.

Configuration on the SRX device

[edit security ike]
root@SRX100-1# show | no-more
proposal ike-proposal1 {
     authentication-method pre-shared-keys;
     dh-group group2;
     authentication-algorithm sha1;
     encryption-algorithm 3des-cbc;
policy ike-policy1 {
     mode aggressive;
     proposals ike-proposal1;
     pre-shared-key ascii-text "$9$rbMKWxbs4Di.Ndi.P56/lKM"; ## SECRET-DATA
gateway ike-gateway1 {
     ike-policy ike-policy1;
     dynamic hostname
     external-interface ge-0/0/0.0;

The remote-end firewall must be set with the IKE-ID as

The rest of the configuration for VPN should be similar to configuring Phase 2 of IPsec VPN.

For configuring the same, follow the links:

For route-based VPN: TN108.

For policy-based VPN: TN107.

Modification History:
2019-09-27: Minor, non-technical update.
Related Links: