Knowledge Search


SR] Configure site-to-site IPsec VPN, where the SRX has a dynamic IP address and a remote side firewall has a static IP address

  [KB28108] Show Article Properties


This article provides information on how to create a site-to-site IPsec VPN between a SRX device and remote end site, in which the SRX has a dynamic IP address and the remote side firewall has a static IP address.


The topology could be as follows :

Topology 1:

In this topology, the SRX egress interface would have a Dynamic IP address.

(PC-A) --------[SRX]---------------------------------ISP--------------------------[FIREWALL]--------(PC-B)
                            DYNAMIC IP                                                              STATIC IP

Topology 2:

In this topology, the SRX is behind a NAT device, and therefore the SRX reaches the remote firewall, with its local IKE-ID as to form the VPN tunnel.

(PC-A) --------[SRX]------------------[NAT]--------------------------------------ISP-------------------------[FIREWALL]--------(PC-B)
                                                                 DYNAMIC IP                                                              STATIC IP

The objective is to establish a site-to-site IPsec VPN between the SRX device and the remote firewall; where SRX has a dynamic IP address.



As one of the peers in the VPN setup (in our case, the SRX device ) is using a Dynamic IP address, we will be using Aggressive mode. Main mode is used in the VPN, when both the sites have a static IP address. As the SRX device has a Dynamic IP instead of a Static IP address, we would be using FQDN (Fully qualified domain name) as IKE-IDENTITY in the IKE gateway configuration.

Configure the IKE Identity configuration as follows :

#set security ike gateway local-identity hostname <Fully qualified domain name>

A sample configuration of IKE Phase 1 would be as follows :

[edit security ike]
root@SRX2-100-1# show | no-more
proposal ike-proposal1 {
    authentication-method pre-shared-keys;
   dh-group group2;
   authentication-algorithm sha1;
   encryption-algorithm 3des-cbc;
policy ike-policy1 {
   mode aggressive;
   proposals ike-proposal1;
   pre-shared-key ascii-text "$9$6EMoCpOhSeX7V1R7VwYZG69Ap1RcylMLx"; ## SECRET-DATA
gateway ike-gateway1 {
   ike-policy ike-policy1;
   local-identity hostname;
   external-interface ge-0/0/0.0;

The remote end firewall must be set with the IKE-ID as to refer to the SRX device.

The rest of the configuration for VPN, would be the similar to configuring Phase 2 of IPsec VPN. To configure this, follow these links:

For Route based VPN :

For policy based VPN :

Related Links: