Knowledge Search


×
 

SR] Configure site-to-site IPsec VPN, where the SRX has a dynamic IP address and a remote side firewall has a static IP address

  [KB28108] Show Article Properties


Summary:

This article provides information on how to create a site-to-site IPsec VPN between a SRX device and remote end site, in which the SRX has a dynamic IP address and the remote side firewall has a static IP address.

Symptoms:

The topology could be as follows :


Topology 1:

In this topology, the SRX egress interface would have a Dynamic IP address.


                            IKE-ID=juniper.net                                                        1.1.1.1
(PC-A) --------[SRX]---------------------------------ISP--------------------------[FIREWALL]--------(PC-B)
                            DYNAMIC IP                                                              STATIC IP

Topology 2:

In this topology, the SRX is behind a NAT device, and therefore the SRX reaches the remote firewall, with its local IKE-ID as juniper.net to form the VPN tunnel.


                        IKE-ID=juniper.net                                                                                                  1.1.1.1
(PC-A) --------[SRX]------------------[NAT]--------------------------------------ISP-------------------------[FIREWALL]--------(PC-B)
                                                                 DYNAMIC IP                                                              STATIC IP

The objective is to establish a site-to-site IPsec VPN between the SRX device and the remote firewall; where SRX has a dynamic IP address.

Cause:

Solution:

As one of the peers in the VPN setup (in our case, the SRX device ) is using a Dynamic IP address, we will be using Aggressive mode. Main mode is used in the VPN, when both the sites have a static IP address. As the SRX device has a Dynamic IP instead of a Static IP address, we would be using FQDN (Fully qualified domain name) as IKE-IDENTITY in the IKE gateway configuration.

Configure the IKE Identity configuration as follows :

#set security ike gateway local-identity hostname <Fully qualified domain name>

A sample configuration of IKE Phase 1 would be as follows :


[edit security ike]
root@SRX2-100-1# show | no-more
proposal ike-proposal1 {
    authentication-method pre-shared-keys;
   dh-group group2;
   authentication-algorithm sha1;
   encryption-algorithm 3des-cbc;
}
policy ike-policy1 {
   mode aggressive;
   proposals ike-proposal1;
   pre-shared-key ascii-text "$9$6EMoCpOhSeX7V1R7VwYZG69Ap1RcylMLx"; ## SECRET-DATA
}
gateway ike-gateway1 {
   ike-policy ike-policy1;
   address 1.1.1.1;
   local-identity hostname juniper.net;
   external-interface ge-0/0/0.0;
}

The remote end firewall must be set with the IKE-ID as juniper.net to refer to the SRX device.

The rest of the configuration for VPN, would be the similar to configuring Phase 2 of IPsec VPN. To configure this, follow these links:

For Route based VPN : http://kb.juniper.net/InfoCenter/index?page=content&id=TN108&actp=LIST


For policy based VPN : http://kb.juniper.net/InfoCenter/index?page=content&id=TN107&actp=LIST

Related Links: