SRX Services Gateway
Reply
Contributor
ds1602
Posts: 61
Registered: ‎12-22-2011
0

Dynamic Branch to Static Hub?

I keep reading about using DDNS to get a end point device that gets assigned a dynamic address to connect with IPSEC VPN's. As I look into that I'm not so sure that is the best option. I can see it working well for a few branch offices trying to connect to a single hub. But, in a retail environment with 300 - 500 branches/stores that doesn't seem to me like a DynDNS would be best. I've also read an article about using a certificate assigned device. The point that scares me about that is the cert running out or being updated. A hiccup there could render all branches broken and devices would have to be replaced.

 

With that many branches, up to say 500, what would be the best way to make the setup of tunnels easier? Is there a way to allow the branch to be dynamical assigned an IP and still connect securely? What would it be able to work through a NAT being done by the provider device device?

 

       branch_srx210 ---> DSL/Cable modem --->Internet--->Corp_srx550

 

Currently everything we have setup is static to static. This is getting tougher to do and a pain to manage.

Contributor
ed_gpc
Posts: 193
Registered: ‎09-21-2010
0

Re: Dynamic Branch to Static Hub?

I manage a vpn network like that, but with 5500 vpns endpoints.

 

We use different preshare keys and local id's on each site.  Been running smootly for 10 years now.

 

Anther option is using a group ike id on the hub and using radius to authenticate the remote points.

Contributor
junostim
Posts: 25
Registered: ‎02-03-2011
0

Re: Dynamic Branch to Static Hub?

You can also use "dynamic user-at-hostname" to identify the spoke sites, in this way the spoke WAN IP does not matter.

 

The catch 22 with this design is the tunnels can only be brought up from the spoke side.  This can be overcome with a small traffic generator on the spoke sites.

 

I have over 150 VPNs setup this way.  In my setups I have to use aggressive mode, and am always going though a NAT device.        SPOKE FWall -------------> Cust NAT Device -------------------> Hub Fwall

 

Sample Hub site Ike Gateway config below.

 

gateway XYZ-Ike-Gateway {
    ike-policy XYZ-Ike-Policy;
    dynamic user-at-hostname "XYZ@FQDN.COM";
    dead-peer-detection {
        interval 60;
        threshold 3;
    }
    external-interface fe-0/0/6.0;
}

 

Juniper Employee
Juniper Employee
AVD
Posts: 20
Registered: ‎03-18-2012
0

Re: Dynamic Branch to Static Hub?

Aggressive mode would be the best option. Tried and tested over years

regards,
Avd
JNCIP-SEC

Please Mark My Solution Accepted if you think it helped!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.