SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Vpn IKE setup

    Posted 02-20-2015 06:46

    I'm trying to setup a VPN route-based connection between two srx devices.  One srx has a static ip and the other has a dynamic ip.  Do I have to use IKE agressive mode for both srx setups or just the one that connects to the srx with the dynamic ip?



  • 2.  RE: Vpn IKE setup

    Posted 02-20-2015 07:13

    Hi,

     

    You wil need to use Aggressive Mode on both sides, otherwise the VPN will not come up. You will get a mismatch on Phase 1.

     

    Have a read here for some help on VPN setup when one end has a Dynamic IP:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28108



  • 3.  RE: Vpn IKE setup

    Posted 02-20-2015 11:37

    I have looked over the link you provided and it says I will need to use a FQDN as an IKE-IDENTITY.  Now my problem is I do not have a FQDN, would I still be able to setup the vpn connection?



  • 4.  RE: Vpn IKE setup

    Posted 02-20-2015 13:48

    You could also set dynamic user-at-hostname

     

    gateway ike-gateway1 {
       ike-policy ike-policy1;
       address 1.1.1.1; 
           dynamic user-at-hostname "test@lab.com";

       external-interface ge-0/0/0.0;    

     

     



  • 5.  RE: Vpn IKE setup

    Posted 02-23-2015 10:54

    Do I have to set dynamic user-at-hostname for both srx's?



  • 6.  RE: Vpn IKE setup
    Best Answer

     
    Posted 02-24-2015 04:49

    Here is a working config.

     

    SRX with Static IP

    set security ike policy ike-policy1 mode aggressive
    set security ike policy ike-policy1 proposal-set standard
    set security ike policy ike-policy1 pre-shared-key ascii-text

    set security ike gateway gw_branch ike-policy ike-policy1
    set security ike gateway gw_branch dynamic hostname BRANCH
    set security ike gateway gw_branch external-interface fe-0/0/7.0

     

    SRX with dynamic IP

    set security ike policy ike-phase1-policy mode aggressive
    set security ike policy ike-phase1-policy proposal-set standard
    set security ike policy ike-phase1-policy pre-shared-key ascii-text 
    set security ike gateway HQ ike-policy ike-phase1-policy
    set security ike gateway HQ address 1.1.1.1
    set security ike gateway HQ local-identity hostname BRANCH
    set security ike gateway HQ external-interface pp0.0

     

    In this config we're using the hostname BRANCH as the IKE ID. 



  • 7.  RE: Vpn IKE setup

    Posted 02-26-2015 06:43

    Can IKEv2 use aggressive mode?  I used the config sample you gave me but the IKE status is down.

     

    This how I setup my vpn ike: 

     

    SRX with static ip


    set security ike policy ike-policy-VPN mode aggressive
    set security ike policy ike-policy-VPN proposal-set standard
    set security ike policy ike-policy-VPN pre-shared-key ascii-text "password"

    set security ike gateway ike-gate-VPN ike-policy ike-policy-VPN
    set security ike gateway ike-gate-VPN dynamic hostname SRXVPN
    set security ike gateway ike-gate-VPN external-interface ge-0/0/0
    set security ike gateway ike-gate-VPN version v2-only

     

    SRX with dynamic ip


    set security ike policy ike-policy-VPN mode aggressive
    set security ike policy ike-policy-VPN proposal-set standard
    set security ike policy ike-policy-VPN pre-shared-key ascii-text "password"

    set security ike gateway ike-gate-VPN ike-policy ike-policy-VPN
    set security ike gateway ike-gate-VPN address 1.1.1.1
    Set security ike gateway ike-gate-VPN local-identity hostname SRXVPN
    set security ike gateway ike-gate-VPN external-interface fe-0/0/0
    set security ike gateway ike-gate-VPN version v2-only



  • 8.  RE: Vpn IKE setup

    Posted 02-27-2015 06:15

    I removed the setting that specifies which version of ike to use and it started working.