SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX100H2 <-> SRX100H2 Dynamic VPN - Configuration Order

    Posted 03-12-2016 09:57

    Site-to-Site VPN between pair of SRXs where on one side the IP is dynamically assigned by ISP, but it changes from time to time. So of course this means dynamic VPN using aggressive mode.

     

    I'm seeing some strange results where, depending on the order of configuration the VPN either succeeds or fails ...

     

    Can anyone share their experience in terms of 'order of configuration'. I mean which side to configure first, things like that?.

     

    Thank you



  • 2.  RE: SRX100H2 <-> SRX100H2 Dynamic VPN - Configuration Order
    Best Answer

    Posted 03-13-2016 05:05

    Hello,

    Speaking of experience :

    1/ the SRX behind NAT _MUST_ have "establish-tunnels immediately" configured.

    2/ the SRX with public IP should NOT have "establish-tunnels immediately" configured, because

    2a/ it makes no sense to poke udp/500 on remote end behind NAT, on SRX port 500 won't be translated into by default

    2b/ "establish-tunnels immediately" seems to be broken with JUNOS 12.1X47-D15 - I got no tunnels up when both ends have "establish-tunnels immediately" and one end with public IP has JUNOS 12.1X47-D15. 

    Once I got it configured as above, IPSec VPN works fine.

    HTH

    Thx

    Alex



  • 3.  RE: SRX100H2 <-> SRX100H2 Dynamic VPN - Configuration Order

    Posted 03-13-2016 09:35

    Thank you. its plausable explanation and certainly something I will try !!

     

    Kind regards