fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Juniper SRX - Site to Site VPN using a Dynamic IP address

Within this article we will look at the commands required for configuring a Site to Site VPN when one peer is using a dynamic IP address.

Note : This article does not include the VPN configuration in its entirety only the additional/amended commands required for this scenario.

There are 3 configuration settings that are defined. These are :

  • Aggressive Mode - As an IKE Identity for the dynamic side is defined, the SRX mandates the use of Aggressive mode.
  • IKE Identity - As the dynamic peer does not have a fixed IP to send as its IKE Identity an FQDN IKE identity is defined.
  • Established Tunnel Immediately - As only the dynamic side can initiate the tunnel. This ensures that the peer with the static IP is always able to still pass traffic over the tunnel.

Dynamic Peer Gateway

Below shows the 4 main configuration settings required on the SRX device configured to use a dynamic IP address.

Note : The peer IP 88.88.88.88 is the remote peer IP address.

root@srx100> show configuration security ipsec vpn VPN-EXAMPLE
ike {
    gateway IKE-PEER-STATIC;
    ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;

root@srx100> show configuration security ike policy IKE-POLICY
mode aggressive;
proposals [ IKE-DH2-AES256-SHA1 IKE-DH2-AES256-SHA1-1 ];
pre-shared-key ascii-text "####"; ## SECRET-DATA

root@srx100> show configuration security ike gateway IKE-PEER-STATIC
ike-policy IKE-POLICY;
address 88.88.88.88;
dead-peer-detection {
    interval 15;
    threshold 3;
}
local-identity hostname fir3net.com;
external-interface pp0.0;

Static IP Gateway

Below shows the 3 main configuration settings required on the SRX device configured to use a static IP address.

root@srx100> show configuration security ipsec vpn VPN-EXAMPLE
ike {
    gateway IKE-PEER-DYNAMIC;
    ipsec-policy IPSEC-POLICY;
}
establish-tunnels immediately;

root@srx100> show configuration security ike policy IKE-POLICY
mode aggressive;
proposals [ IKE-DH2-AES256-SHA1 IKE-DH2-AES256-SHA1-1 ];
pre-shared-key ascii-text "####"; ## SECRET-DATA

root@srx100> show configuration security ike gateway IKE-PEER-DYNAMIC
ike-policy IKE-POLICY-VPNRICH;
dynamic hostname fir3net.com;
dead-peer-detection {
    interval 15;
    threshold 3;
}
external-interface pp0.0;

 

Tags: VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001