Hi All,
Im new to the SRX platform and have a very simple config I want to setup. I have to SRX boxes and need to setup a site to site VPN between them. The only catch is that one of the sites has a Dynamic IP.
I can ge the VPN to come up if I make both sides static and set them both to mode MAIN.
Here is the config when it works
Remote Site
security {
ike {
traceoptions {
file VPNtrace size 1m;
flag policy-manager;
flag ike;
flag routing-socket;
}
policy ike-policy1 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$eEwK87-dsJGi4sdf6/OBKM87b24oJ"; ## SECRET-DATA
}
gateway ike-gate {
ike-policy ike-policy1;
address 70.x.x.x;
local-identity user-at-hostname "testvpn@lab.com";
external-interface fe-0/0/0.0;
}
}
ipsec {
policy vpn-policy1 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn ike-vpn {
bind-interface st0.0;
ike {
gateway ike-gate;
ipsec-policy vpn-policy1;
}
establish-tunnels on-traffic;
}
}
Head OFFICE
ike {
traceoptions {
file VPNtrace size 1m;
flag ike;
}
policy ike-policy {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$o/aUHq.569pFncsdf7NaZUHPQF36"; ## SECRET-DATA
}
gateway eric-gw {
ike-policy ike-policy;
address 70.x.x.x;
external-interface ge-0/0/0.0;
}
}
ipsec {
policy ipsec-policy {
proposal-set standard;
}
vpn eric-vpn {
bind-interface st0.0;
ike {
gateway eric-gw;
ipsec-policy ipsec-policy;
}
establish-tunnels on-traffic;
}
}
Config when I attemp to make a peer Dynamic
Remote Site
security {
ike {
traceoptions {
file VPNtrace size 1m;
flag policy-manager;
flag ike;
flag routing-socket;
}
policy ike-policy1 {
mode aggresive;
proposal-set standard;
pre-shared-key ascii-text "$9$eEwK87-dsJGi4sdf6/OBKM87b24oJ"; ## SECRET-DATA
}
gateway ike-gate {
ike-policy ike-policy1;
address 70.x.x.x;
local-identity user-at-hostname "testvpn@lab.com";
external-interface fe-0/0/0.0;
}
}
ipsec {
policy vpn-policy1 {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn ike-vpn {
bind-interface st0.0;
ike {
gateway ike-gate;
ipsec-policy vpn-policy1;
}
establish-tunnels on-traffic;
}
}
Head OFFICE
ike {
traceoptions {
file VPNtrace size 1m;
flag ike;
}
policy ike-policy {
mode aggresive;
proposal-set standard;
pre-shared-key ascii-text "$9$o/aUHq.569pFncsdf7NaZUHPQF36"; ## SECRET-DATA
}
gateway eric-gw {
ike-policy ike-policy;
dynamic user-at-hostname "testvpn@lab.com";
external-interface ge-0/0/0.0;
}
}
ipsec {
policy ipsec-policy {
proposal-set standard;
}
vpn eric-vpn {
bind-interface st0.0;
ike {
gateway eric-gw;
ipsec-policy ipsec-policy;
}
establish-tunnels on-traffic;
}
}
As you can see the only thing I change is set the modes to Aggresive and change address to be dynamic user at home.
This config does not work. On the Remote Site I see very little to nothign in the VPN Log. On the Head Office end the VPN logs is constantly spittin out logs. This is strange to me as you would expect the Remote end to be the one with all the VPN activity since it needs to Establish the connection first.
Any thoughts?
Thanks