SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  site-to-site VPN with one side being a dynamic IP

    Posted 09-28-2011 09:02

    Is it possible for a VPN to be created between 2 SRX firewalls when one site has a dynamic IP?

    I've been able to easily do this in the SSG models, but can't find any documentation that even mentions it for the SRX line.

     



  • 2.  RE: site-to-site VPN with one side being a dynamic IP

    Posted 09-28-2011 09:11

    Hi,

     

    Yes, it's possible.  I would recommend using the VPN configuration tool.  Check it out...

     

    https://www.juniper.net/customers/support/configtools/vpnconfig.html



  • 3.  RE: site-to-site VPN with one side being a dynamic IP

    Posted 09-28-2011 09:27

    Thanks. I had a look but that doesn't give the option of one side being dynamic. The option H is set to a single method, and when clicking the ? by it a page comes up that (to me) says it's not supported. Of the methods mentioned, only one has (supported) by it, and that's with both sides being static.

    https://www.juniper.net/customers/support/configtools/help/vgit.html

     



  • 4.  RE: site-to-site VPN with one side being a dynamic IP

    Posted 09-28-2011 11:20

    I just tried the VPN wizard through the web GUI on the firewall too. I updated to 10.4r6.5, the recommended version...

    Are these things still beta?????? The wizard doesn't even work on the firewall. The ZONE field is required, but there is no text field to type in a zone name or a drop down list to choose a zone. I can't even get past the first page of the wizard because of this.  And the wizard keeps throwing a popup saying my session has expired and I need to log back in, this is 10 seconds after logging in!

     

    Looking forward to the day when these are half as good as the SSG line, maybe then I'll deploy it. We've owned it for almost a year, and it still sits in the lab. Every time I go to configure it I just get frustrated at the lack of functionality and ease of mgmt. So my 6 year old NS5 continues to remain in production doing things the SRX cannot...pathetic. This is the firewall future?

     

    Get on the ball Juniper!



  • 5.  RE: site-to-site VPN with one side being a dynamic IP

    Posted 09-28-2011 12:18

    Hi,

     

    I can't comment on the WebUI functionality becuase I've never used it.  I use SSH/CLI and NSM.  The VPN tool on JNET should provide you with the proper CLI to get your VPN working.  Then it's just a matter of pasting it in or typing out the commands.  If you plan to learn JUNOS, I would highly recommend dropping the WebUI and learn the CLI.  Most of my clients who have switched from the WebUI to the CLI haven't turned back.



  • 6.  RE: site-to-site VPN with one side being a dynamic IP
    Best Answer

    Posted 09-28-2011 12:57

    Apologies.  Too much multitasking on my part.  I missed the issue you had with the VPN tool.  Have a look at this post.  If all else fails, let me know and I will pull a working config later tonight.

     

    http://forums.juniper.net/t5/SRX-Services-Gateway/VPN-Site-2-Site-with-Dynamic-IP-peer/m-p/40479//true#U40521?searchid=1317239550051



  • 7.  RE: site-to-site VPN with one side being a dynamic IP

    Posted 09-28-2011 13:34

    Thanks for the link to that thread! I spent some time looking searching the forums yesterday but didn't come across that thread.

     

    I have mostly switched to the CLI as I got so tired of the web UI. The problem I have is that we have been a Juniper shop for many years using ScreenOS, and simple things like adding a policy can be done by a technician. Moving to the GUI just makes it more difficult to do simple tasks like that. Yes it's a training thing and I can document it, it's just an added pain that we don't need. I'm sure I'd like JunOS if I hadn't had the pleasure of doing all the same tasks in a simple GUI like in ScreenOS. FOr me it's a step in the wrong direction in regards to mgmt.