SRX

Hi All,

 

   Im new to the SRX platform and have a very simple config I want to setup.  I have to SRX boxes and need to setup a site to site VPN between them.  The only catch is that one of the sites has a Dynamic IP. 

 

   I can ge the VPN to come up if I make both sides static and set them both to mode MAIN.

 

Here is the config when it works

 

 

Remote Site

 

security {
    ike {
        traceoptions {
            file VPNtrace size 1m;
            flag policy-manager;
            flag ike;
            flag routing-socket;
        }
        policy ike-policy1 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "$9$eEwK87-dsJGi4sdf6/OBKM87b24oJ"; ## SECRET-DATA
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address 70.x.x.x;
            local-identity user-at-hostname "testvpn@lab.com";
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        policy vpn-policy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
            establish-tunnels on-traffic;
        }
    }

 

Head OFFICE

 

ike {
    traceoptions {
        file VPNtrace size 1m;
        flag ike;
    }
    policy ike-policy {
        mode main;
        proposal-set standard;
        pre-shared-key ascii-text "$9$o/aUHq.569pFncsdf7NaZUHPQF36"; ## SECRET-DATA
    }
    gateway eric-gw {
        ike-policy ike-policy;
        address 70.x.x.x;
        external-interface ge-0/0/0.0;
    }
}
ipsec {
    policy ipsec-policy {
        proposal-set standard;
    }
    vpn eric-vpn {
        bind-interface st0.0;
        ike {
            gateway eric-gw;
            ipsec-policy ipsec-policy;
        }
        establish-tunnels on-traffic;
    }
}

 

 

 

Config when I attemp to  make a peer Dynamic

 

 

Remote Site

 

security {
    ike {
        traceoptions {
            file VPNtrace size 1m;
            flag policy-manager;
            flag ike;
            flag routing-socket;
        }
        policy ike-policy1 {
            mode aggresive;
            proposal-set standard;
            pre-shared-key ascii-text "$9$eEwK87-dsJGi4sdf6/OBKM87b24oJ"; ## SECRET-DATA
        }
        gateway ike-gate {
            ike-policy ike-policy1;
            address 70.x.x.x;
            local-identity user-at-hostname "testvpn@lab.com";
            external-interface fe-0/0/0.0;
        }
    }
    ipsec {
        policy vpn-policy1 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn ike-vpn {
            bind-interface st0.0;
            ike {
                gateway ike-gate;
                ipsec-policy vpn-policy1;
            }
            establish-tunnels on-traffic;
        }
    }

 

Head OFFICE

 

ike {
    traceoptions {
        file VPNtrace size 1m;
        flag ike;
    }
    policy ike-policy {
        mode aggresive;
        proposal-set standard;
        pre-shared-key ascii-text "$9$o/aUHq.569pFncsdf7NaZUHPQF36"; ## SECRET-DATA
    }
    gateway eric-gw {
        ike-policy ike-policy;
        dynamic user-at-hostname "testvpn@lab.com";
        external-interface ge-0/0/0.0;
    }
}
ipsec {
    policy ipsec-policy {
        proposal-set standard;
    }
    vpn eric-vpn {
        bind-interface st0.0;
        ike {
            gateway eric-gw;
            ipsec-policy ipsec-policy;
        }
        establish-tunnels on-traffic;
    }
}

 

As you can see the only thing I change is set the modes to Aggresive and change address to be dynamic user at home.

 

This config does not work.  On the Remote Site I see very little to nothign in the VPN Log.  On the Head Office end the VPN logs is constantly spittin out logs.  This is strange to me as you would expect the Remote end to be the one with all the VPN activity since it needs to Establish the connection first.

 

Any thoughts?

 

Thanks

 

 

seems odd to have your head to establish the tunnel on traffic in an aggressive mode tunnel -- where does it connect to? i'd remove that and check again.

 

can also try to have the remote establish immediately to avoid the wait for traffic while testing.

 

i would also read through the route-based ipsec application note for the troubleshooting options. for route or policy based vpn routing, this has been good for me:

 

http://kb.juniper.net/index?page=content&id=KB15745&pmv=print

I tried doing the establish immidiatly and that did not seem to change anything.  I also followed the Juniper Guides to get the first main mode tunnel up and going.  The issue is there is no instructions on how to do a Static to Dynamic config.  Even if you use the Site to Site Configuration Utility Beta it says that a Static to Dynamic is not supported. Does this mean the tool does not support it or that the SRX does not support this yet?

 

Thanks,

i think it is juniper terminology -- dynamic vpn, from the docs, is ssl-vpn. you have a static vpn, aggressive mode. the tool doesn't do aggresive mode tunnels though. seems that juniper itself plays fast and loose with 'dynamic' vpn in the docs and on the web site as well. semantics, i suppose.

 

it should be as you've configured it -- just change the mode and use an authentication mechanism for the local and remote peers. thinking about it, that might be the problem. ipsec tunnels in aggressive mode can be problematic when dealing with the local and remote identity. i'd check those again and trace for the security associations in phase 2. or turn on all traceoptions...

 

 

while dealing with some vpn's of my own, i think i spotted where your problem is:

 

set your head office gate as a normal setup -- no dynamic statement. that is for those many-to-one vpn connections and you want a one-to-one setup.

 

just treat it like a standard point-to-point vpn, but use aggresive mode and make sure your local id is there. that should do it.

 

 

Hi,

 

   Thanks for all your help and suggestions but I ended up finding the issue.  The configuration was correct, When I created a regular main mode VPN the systems seems to retain that VPN connection in memory (despite several hours of standby).  After rebooting the remote SRX the VPN came up in Aggressive mode.

 

Another problem solved by reboot!

 

Thanks,

 

Magraw

Magraw.....how did u configure public interface fe-0/0/0 on remote side....since it was suppose to get dynamic ip ?

Thanks for the above information I have 2 site where each SRX210's are only connected via dynamic address's as that's all the local 3g carrier can provide. Is there a way for the IKE sessions to maintain connection once the IP addresses lease is renewed? Thanks Steve W .

Hi.

 

I have made a lab like this. When I change the user-at-hostname at both of SRXs. I don't have any way to build up VPN again, except rebooting two SRXs. Do you meet this problem?

How about static juniper to dynamic ip which is cisco devices

A question: I can see the need for the ike policy on the remote site being aggressive mode. But can the policy on the head office end be main mode?

Hi jmcgrady ,

 

For a site to site tunnel , if one end is dynamic , then you have to configured Aggressive Mode.

 

Because dynamic end can have static peer ip address (main site) but Main site does not have static ip of Dynamic peer.

 

If it is static ,then always Main Mode. if any one end is dynamic , then always aggressive.

 

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

HI rparthi,

i'm a little confused with your comment. So if i have a static IP on one end and a dynamic IP on the other end, then i should do Main mode on one end and aggresive mode on the other end, correct? i am a little confused..

can someone please shed some light on me?

 

thanks you!

#rparthi

Hello Gomez

 

You need to configure aggressive mode and both peer ends.

 

Regards,

Raveen

HI Raveen

thanks for the clarification! Kudos!

i do have another question now, so what do i enter in the "gateway Address" if the IP address is dynamic?

#Raveen

Good Day,

 

 

                       I think you used a route-based vpn of this scenario, is this necessary to used? Or the best to do with this is to have a policy based site to site vpn

 

 

 

Thanks

Brian