Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configure site-to-site IPsec VPN, where remote site has dynamic IP address and SRX has static IP address

0

0

Article ID: KB28077 KB Last Updated: 27 Feb 2020Version: 3.0
Summary:

This article provides information on how to create a site-to-site Route-based or Policy-based VPN between an SRX device and a remote end-site, where the remote end-site has a dynamic IP address and the SRX device has a static IP address.

Symptoms:

The objective is to establish a site-to-site Route-based or Policy-based VPN between the SRX device and the Remote firewall, where the remote site has a dynamic IP address.

The topology is as follows:

                             1.1.1.1                                         IKE-ID=host1.example.com

(PC-A) --------[SRX]---------------ISP--------------------------[FIREWALL]--------(PC-B)

                         STATIC IP                                         DYNAMIC IP

Solution:

One of the peers in the VPN setup is using a dynamic IP address (in this case, a remote firewall), so Aggressive mode is used.

Main mode is used in the VPN when both sites have a static IP address.

The remote-end firewall has a dynamic IP address instead of a static IP address, so an FQDN (fully qualified domain name) is used as IKE-IDENTITY in the IKE gateway configuration.

Configuration on the SRX device

[edit security ike]
root@SRX100-1# show | no-more
proposal ike-proposal1 {
     authentication-method pre-shared-keys;
     dh-group group2;
     authentication-algorithm sha1;
     encryption-algorithm 3des-cbc;
}
policy ike-policy1 {
     mode aggressive;
     proposals ike-proposal1;
     pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway ike-gateway1 {
     ike-policy ike-policy1;
     dynamic hostname host1.example.com
     external-interface ge-0/0/0.0;
}

The remote-end firewall must be set with the IKE-ID as host1.example.com.

The rest of the configuration for VPN should be similar to configuring Phase 2 of IPSec VPN.

For configuring the same, follow the links:

For route-based VPN: TN108.

For policy-based VPN: TN107.

Modification History:
2019-09-27: Minor, non-technical update.
2020-02-27: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search