Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How do I set up a LAN to LAN VPN if the remote site has a dynamic IP address

0

0

Article ID: KB6322 KB Last Updated: 18 Dec 2017Version: 5.0
Summary:
This article describes the procedure on how to setup a VPN when one of the peers has a dynamic IP Address.
Symptoms:
Evironment:
  • LAN to LAN VPN configuration
  • One site has dynamically allocated IP address on Untrust side One site obtains Untrust IP address via DHCP
  • NetScreen has a dynamically assigned IP address from a DSL vendor
  • VPN over PPPoE
  • Dynamic VPN tunnel
  • Dynamic IP address
Symptoms & Errors:
  • How do I set up a LAN to LAN VPN if the remote site has a dynamic IP address
Solution:

The minimum requirements for a LAN to LAN VPN is for at least one site to have a statically assigned IP address to the Untrust interface.  The procedures for the LAN to LAN VPN is the same for phase 2, and for the VPN policies.  The only difference is in the configuration of the IKE Gateway (Phase 1).

The following procedure is based on ScreenOS 2.6.1, using the WebUI:

Assume the following:

In this example, on the left is a home network behind a NetScreen-5, who gets their Untrust IP from their ISP dynamically. This home user is trying to connect to his corporate site, which has a NetScreen-100 protecting the corporate LAN. The NetScreen-5's IP address changes from time to time, so we have to rely on a local id and peer id relationship. A local ID is specified on the NetScreen-5, and the NetScreen-100 side, it will refer to the NetScreen-5 with a peer id which matches the NetScreen-5's local id.

Remote Site (Untrust Interface has dynamic IP address):

Create Address Book entries for both local and remote networks to be later used in the policy:

  1. Click Address button
  2. Click New Address
    1. Name: Home
    2. IP Address: 192.168.10.0
    3. Netmask: 255.255.255.0

    Example:

  3. Click Untrust tab
  4. Click New Address
    1. Name: Corp-Net
    2. IP Address: 192.168.20.0
    3. Netmask 255.255.255.0

    Example:

For the IKE Gateway (Phase 1):

  1. Click VPN button
  2. Click New Remote Tunnel Gateway.
    1. Gateway Name: Corporate GW
    2. Remote Gateway: Static IP Address: 172.16.20.1
    3. Click Aggressive mode
    4. Choose a P1 Proposal. For this example, we will use pre-g2-des-md5.
    5. Preshared Key: netscreen
    6. Local ID: ns5.netscreen.com.

    Example:

For IKE Phase 2 Configuration:

  1. Click the AutoKey IKE tab
  2. Click New AutoKey IKE Entry
  3. In the Remote Tunnel Gateway pulldown, select Corporate GW as configured in step 5. Choose a proposal of nopfs-esp-des-md5.

    Example:

Create the bi-directional policy

  1. Click Policy
  2. Click New Policy
    1. Source Address: Home
    2. Destination Address: Corp-Net
    3. Service: Any
    4. Tunnel: Corporate VPN
    5. Click Create Matching Incoming VPN Policy

    Example:

Corporate Site (Untrust Interface has static IP address):

Create the Address Book Entries for Corporate site and remote Home user's site:

  1. Click Address
  2. Click New Address
    1. Name: Corporate
    2. IP Address: 192.168.20.0
    3. Netmask: 255.255.255.0
    4. Click OK. This is the local LAN address for the Corporate Site. Next, create address book entries for the remote Home site
  3. Click Untrust tab
  4. Click New Address
    1. Name: Home
    2. IP Address: 192.168.10.0
    3. Netmask: 255.255.255.0
    4. Click OK. This is the LAN address for the remote home user.

For IKE Gateway (Phase 1):

  1. Click VPN button
  2. Click New Remote Tunnel Gateway
    1. Gateway Name: Remote GW
    2. Click Dynamic IP Address.
    3. Peer ID: ns5.netscreen.com
    4. Click Aggressive Mode
    5. P1 Proposal: pre-g2-des-md5
    6. Preshared Key: netscreen

    Example:

For IKE Phase 2 Configuration:

  1. Click the Autokey IKE Tab
  2. Click New Autokey IKE Entry
  3. In the Remote Tunnel Gateway pulldown, select Remote GW as defined above. Choose a proposal of nopfs-esp-des-md5.

    Example:

Create the bi-directional VPN policy:

  1. Click Policy button
  2. Click New Policy
    1. Source Address: Corporate
    2. Destination Address: Home
    3. Service: Any
    4. Tunnel: Remote VPN
    5. Click Create matching incoming VPN policy
Modification History:
2017-12-07: Article reviewed for accuracy. Added summary.. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search