SRX

Hello,

I recently purchased an SRX 240 and SRX 110, the SRX 240 is located in a data center while the SRX 110 is located at home. I was able to setup a Dynamic to Static VPN between the two and can ping both end points from both boxes. What I cannot do is access any address beyond the tunnel end-point IP address in the data center, 10.22.2.1. Anytime I try to traceroute to an IP address that is not directly connected to the SRX 240, the last address traceroute shows is 10.22.2.1 before the timeout *'s. I can reach the addresses directly through the SRX 240 when logged in via SSH using the public IP address, just not from the other end point on the SRX 110 or any compute connected to the SRX 110.

I have the policies all set to permit the traffic and I have fought with this for the past few days to no avail. I have tried putting the public interface in the same permissive policy as well but right now have the two policies linked. Switching them still does not maker a difference. Originally I couldn't even get the two to talk to each other so being able to reach each end point is a feat in it's own but useless if I cannot reach the other IP addresses on the other end. Am I missing a routing instance or something to get these two to talk? I've looked over similar threads to this one where people try to use their VPN to access the internet but no one ever seems to share their solution. Essentially I am trying to do the samething as well.

Any insights would be greatly appreciated, I have a feeling I overlooked one small thing not being familiar with the SRX's and what not. 

I solved the problem with communicating with the other devices on the network. I added a static route for tunnel end on the SRX 240 back to the public IP address on port ge-0/0/0 into the next router. (10.22.1.1/32 next-hop [public ip address on SRX 240 ge-0/0/0];) I can now reach all the devices on the network but still cannot access the Internet.  Any ideas?

The IP addresses we are assigning on the SRX 110 and tunnels are private IP space while the IP address on ge-0/0/0 on the SRX 240 is a public address. I have a feeling this is what might be causing the connection issues with the Internet but am not 100% sure. Any insight would be appreciated. Hopefully this answer will help anyone experiencing a similar issue.

For anyone else that may have a problem with creating a site-to-site VPN where one has a dynamic IP address, the last part of the puzzle is enabling Source NAT on the dynamic side for clients being assigned IP addresses (in my case, another switch is handling out DHCP addresses, not the SRX 110). Once I enabled this and tinkered with it a bit, everything started working just fine. 

Also if your sites have a decent amount of latency between them, make sure to run "set security flow tcp-mss ipsec-vpn mss 1350" and set the MTU of the st0.0 interface (or your actual tunnel) to 1500 on both devices. Otherwise the speeds are painfully slow which will result in a timeout.

Hopefully this is useful to anyone else out there trying to setup a site-to-site VPN where one end is dynamic with another router handing our DHCP addresses.

Guess these old SRX units still have some use after all!