Juniper SRX – Site to Site VPN using a Dynamic IP address

Within this article we will look at the commands required for configuring a Site to Site VPN when one peer is using a dynamic IP address.

Note : This article does not include the VPN configuration in its entirety only the additional/amended commands required for this scenario.

There are 3 configuration settings that are defined. These are :

  • Aggressive Mode – As an IKE Identity for the dynamic side is defined, the SRX mandates the use of Aggressive mode.
  • IKE Identity – As the dynamic peer does not have a fixed IP to send as its IKE Identity an FQDN IKE identity is defined.
  • Established Tunnel Immediately – As only the dynamic side can initiate the tunnel. This ensures that the peer with the static IP is always able to still pass traffic over the tunnel.

Dynamic Peer Gateway

Below shows the 4 main configuration settings required on the SRX device configured to use a dynamic IP address.

Note : The peer IP 88.88.88.88 is the remote peer IP address.

root@srx100> show configuration security ipsec vpn VPN-EXAMPLE
ike {
    gateway IKE-PEER-STATIC;
    ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;

root@srx100> show configuration security ike policy IKE-POLICY
mode aggressive;
proposals [ IKE-DH2-AES256-SHA1 IKE-DH2-AES256-SHA1-1 ];
pre-shared-key ascii-text “####”; ## SECRET-DATA

root@srx100> show configuration security ike gateway IKE-PEER-STATIC
ike-policy IKE-POLICY;
address 88.88.88.88;
dead-peer-detection {
    interval 15;
    threshold 3;
}
local-identity hostname www.fir3net.com;
external-interface pp0.0;

Static IP Gateway

Below shows the 3 main configuration settings required on the SRX device configured to use a static IP address.

root@srx100> show configuration security ipsec vpn VPN-EXAMPLE
ike {
    gateway IKE-PEER-DYNAMIC;
    ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;

root@srx100> show configuration security ike policy IKE-POLICY
mode aggressive;
proposals [ IKE-DH2-AES256-SHA1 IKE-DH2-AES256-SHA1-1 ];
pre-shared-key ascii-text “####”; ## SECRET-DATA

root@srx100> show configuration security ike gateway IKE-PEER-DYNAMIC
ike-policy IKE-POLICY-VPNRICH;
dynamic hostname www.fir3net.com;
dead-peer-detection {
    interval 15;
    threshold 3;
}
external-interface pp0.0;

 

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial