Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SR] Configure site-to-site IPsec VPN, where the SRX has a dynamic IP address and a remote side firewall has a static IP address

0

0
Article ID: KB28108 KB Last Updated: 27 Feb 2020Version: 4.0 Summary:

This article provides information on how to create a site-to-site IPsec VPN between a SRX device and remote end site, in which the SRX has a dynamic IP address and the remote side firewall has a static IP address.

Symptoms:

The topology could be as follows :


Topology 1:

In this topology, the SRX egress interface would have a Dynamic IP address.


                            IKE-ID=example.com                                                    1.1.1.1
(PC-A) --------[SRX]---------------------------------ISP--------------------------[FIREWALL]--------(PC-B)
                            DYNAMIC IP                                                              STATIC IP

Topology 2:

In this topology, the SRX is behind a NAT device, and therefore the SRX reaches the remote firewall, with its local IKE-ID as juniper.net to form the VPN tunnel.


                        IKE-ID=example.com                                                                                           1.1.1.1
(PC-A) --------[SRX]------------------[NAT]--------------------------------------ISP-------------------------[FIREWALL]--------(PC-B)
                                                                 DYNAMIC IP                                                              STATIC IP
 

The objective is to establish a site-to-site IPsec VPN between the SRX device and the remote firewall; where SRX has a dynamic IP address.

Solution:

As one of the peers in the VPN setup (in our case, the SRX device ) is using a Dynamic IP address, we will be using Aggressive mode. Main mode is used in the VPN, when both the sites have a static IP address. As the SRX device has a Dynamic IP instead of a Static IP address, we would be using FQDN (Fully qualified domain name) as IKE-IDENTITY in the IKE gateway configuration.

Configure the IKE Identity configuration as follows :

#set security ike gateway local-identity hostname <Fully qualified domain name>
 

A sample configuration of IKE Phase 1 would be as follows :

 
[edit security ike]
root@SRX2-100-1# show | no-more
proposal ike-proposal1 {
    authentication-method pre-shared-keys;
   dh-group group2;
   authentication-algorithm sha1;
   encryption-algorithm 3des-cbc;
}
policy ike-policy1 {
   mode aggressive;
   proposals ike-proposal1;
   pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway ike-gateway1 {
   ike-policy ike-policy1;
   address 1.1.1.1;
   local-identity hostname example.com;
   external-interface ge-0/0/0.0;
}

The remote end firewall must be set with the IKE-ID as juniper.net to refer to the SRX device.

The rest of the configuration for VPN, would be the similar to configuring Phase 2 of IPsec VPN. To configure this, follow these links:

For Route based VPN : TN108

For policy based VPN : TN107

Modification History:
2020-02-27: minor non-technical edits.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search