SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Site to site VPN not able to use the second public IP address

    Posted 11-26-2016 09:01
      |   view attached

    I had configured primary public ip address for Dynamic VPN connection on SRX220H2 and it is working now. Right now, I like to user second public ip address for site to site VPN connection. No matter, I use routed base or policy base Site to site vpn, it will not found the second public ip address and kept on primary public ip address. I hope someone can help to check the attached config file and see anything missing. Already try the Identity ID to use second public ip address, it does not have any improvment.

     

    Herer is the error which only found 218.255.187.42 instead of 218.255.187.43

    Attachment(s)

    txt
    configuration.txt   17 KB 1 version


  • 2.  RE: Site to site VPN not able to use the second public IP address

    Posted 11-26-2016 10:23

    You can specify the address

    set security ike gateway gw_BFSQLMW-WarehouseB local-address 218.255.187.43

    But I am not confident that it will work as the IP address 218.255.187.43 is not a "secondary" IP address of your external interface. It is an IP address used for DNAT.

    Anyway it is worth to try.



  • 3.  RE: Site to site VPN not able to use the second public IP address

    Posted 11-26-2016 17:13

    Thanks. Just try it. Althought the VPN connection is still failure, the error shown the ip connection to 218.255.187.43 now. On my setting, this IP address had been set on Static NAT. If I change it to SNAT, will be able to make it like "secondary" IP address of the external interface or any suggestion.



  • 4.  RE: Site to site VPN not able to use the second public IP address
    Best Answer

    Posted 11-27-2016 02:52

    I don't really understand why you don't want to use 218.255.187.42 for the VPN.

    The IP 218.255.187.43 is already used for static NAT. You cannot use that IP.

    What you should is add a secondary IP to your external interface like below:

    Tthe 218.255.187.X IP will be used fore the VPN (with local-addess statement inside the IKE gateway definition)

     

     

    interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 218.255.187.42/29 {
                      preferred;
                      primary;
                    }
                address 218.255.187.X/29;
            }
        }
    }
}

     

     

     

     

     



  • 5.  RE: Site to site VPN not able to use the second public IP address

    Posted 11-27-2016 06:47

    Oh. The IP address 218.255.187.42 is reserved for Dynamic VPN user to inernal 192.168.0.x network and we like to put 218.255.187.43 for two branch site to site VPN to connect internal another 192.168.20.x network. Then it will this two network will be separated. That is what we like to do