SRX Services Gateway
Reply
Visitor
Tribolet Thomas
Posts: 3
Registered: ‎07-07-2011
0

VPN on different ip than isp

Hello

 

First, i say sorry for my bad english i'm french. i'll try my best

 

 

Here is a little configuration a try to make :

 

I have 2 site with 2 SRX 210.

 

I want to make a VPN between them but there is a little particularity

 

The isp give me an ip on each router for their use and i have 2 set of ip for my use on each site ex :

 

Router 1 ip : 190.190.190.190/30  ipv4 for my use : 150.150.150.182/28

 

 

Router 2 ip : 5.5.5.5/30 ipv4 for my use : 140.140.140.32/30

 

For example.

 

So i must use one of 150.150.... range and one of 140.140...... range to make my vpn.

 

The question is : how to assign those ip to "virtual" interface on my SRX ?

 

Thanks

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: VPN on different ip than isp

You can assign an IP from your own range to the loopback interface (lo0). If you place it in a security-zone, you should be able to terminate a VPN on that address.

This does require a more recent software version (10.2 i believe), but I would recommend 10.4R5 anyway.

Trusted Contributor
dscott
Posts: 122
Registered: ‎03-17-2011
0

Re: VPN on different ip than isp

So do you have the interface IP set to the ISP IP (190.190.190.190/30)?

If so, and you are able to pass traffic like you expect, You could just configure proxy-arp for the ip range your ISP gave you to use.

Just substitute the correct interface and IP for your specific setup.

set security nat proxy-arp interface ge-0/0/0 address 150.150.150.182/28
Dustin

VCP-4/5, JNCIS-SEC, JNCIP-ENT
Visitor
Tribolet Thomas
Posts: 3
Registered: ‎07-07-2011
0

Re: VPN on different ip than isp


motd wrote:

You can assign an IP from your own range to the loopback interface (lo0). If you place it in a security-zone, you should be able to terminate a VPN on that address.

This does require a more recent software version (10.2 i believe), but I would recommend 10.4R5 anyway.


I have tested this configuration, and i did not work. Is lo0 the only interface on which i can assign a " virtual ip" ?

 

And I have upgraded my software to 11.1R3.5. Perhaps too much new ?

 

Sorry for my bad english and thanks for your help.

Visitor
Tribolet Thomas
Posts: 3
Registered: ‎07-07-2011
0

Re: VPN on different ip than isp


dscott wrote:
So do you have the interface IP set to the ISP IP (190.190.190.190/30)?

If so, and you are able to pass traffic like you expect, You could just configure proxy-arp for the ip range your ISP gave you to use.

Just substitute the correct interface and IP for your specific setup.

set security nat proxy-arp interface ge-0/0/0 address 150.150.150.182/28

Yes I have an interface set by the isp in 190.190.190.190/30

 

And i already use set security nat proxy-arp interface ge-0/0/0 for one adress to nat my local network.

 

Can i "proxy-arp" multiple adresses ?

 

Sorry for my bad english and thanks for your help.

Super Contributor
motd
Posts: 221
Registered: ‎12-16-2008
0

Re: VPN on different ip than isp

FYI attached is the config I used when i tried this in my lab, for comparison. Maybe there is something you did differently. As for software version, I would recommend 10.4R5 right now.

 

There is a second way of doing this, one I used a few times before when the lo0 interface was not usable for vpn. Create an interface with the /32 on it and place it in a security zone. To ensure that the interface is always up, place a loopback plug in it, or create is as a sub-interface of an existing vlan-tagged interface. Its not pretty, but it works :smileyhappy:

Trusted Contributor
dscott
Posts: 122
Registered: ‎03-17-2011
0

Re: VPN on different ip than isp

Yes you can have multiple addresses in a proxy-arp statement.

 

dscott# show security nat proxy-arp 
interface fe-0/0/7.0 {
    address {
        10.10.1.1/32;
        10.10.1.2/32;
        10.10.1.3/32;
    }
}

 

Dustin

VCP-4/5, JNCIS-SEC, JNCIP-ENT
Recognized Expert
Visitor
Posts: 121
Registered: ‎08-30-2010
0

Re: VPN on different ip than isp

[ Edited ]

Hi Tribolet ,

 

The simplest way i can think of is by defining both the ip address on the same interface. And then you can define which address you want to use to negotiate with which ip. E.g You want the internet traffic to route via 190 ip and vpn via 150. Make 190 as primary and preferred.

 

root# show interfaces ge-0/0/0
unit 0 {
    family inet {
      
        address 190.190.190.190/30 {
            primary;
            preferred;
        address 150.150.150.182/28;
    }
}

 

Now in the configuration for the gateway you define the local-address that can be used for vpn negotiation :

 

root# show security ike
gateway g1 {

    ike-policy pol1;
    address 140.140.140.32;
    external-interface ge-0/0/0;
    local-address 150.150.150.182;
}


 

Local-address is hidden command so this wont auto complete.

 

Regards,

Visitor

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.