SRX Services Gateway
SRX Services Gateway

Adding 2 public IPs to SRX220h causes the site-site VPN go down

08.07.17   |  
‎08-07-2017 03:31 PM

Hello All,

Here is the scenario. We have site1 with SRX220h and site2 with SSG5 routers. Both are connected using policy based IPSec vpn with preshared keys. We also have static NATs and related policies to map public to private IP addresses.

 

We currently have 10 block ip addresses(say 10.5.1.1-10) from our ISP at site1 and SRX220h's ge/0.0(public/untrust interface) is assigned to one IP(10.5.1.1) address from the block. We recently bought another 10 block of IP addresses(say 20.5.1.1-10). The ISP has assigned the new block to same network.

 

2 scenarios are playing out here

 

1. When I add 20.5.1.1 to SRX220h's ge/0.0 interface I am able to static NAT the remaining IPs to private IP addresses, BUT THE SITE-SITE VPN between site1 and 2 does not work

2. If I do not add the 20.5.1.1 to ge/0.0, VPN works fine, but STATIC NAT will not work.

 

I am looking for a solution where both site to site VPN is up and static NATs are mapped properly.

 

Appreciate any replies,

 

Thanks in advance

ST

2 REPLIES
Highlighted
SRX Services Gateway
Solution
Accepted by topic author stalasila
‎08-07-2017 06:22 PM

Re: Adding 2 public IPs to SRX220h causes the site-site VPN go down

08.07.17   |  
‎08-07-2017 03:47 PM

When you do not add the new block, are you configuring proxy arp for those IPs?

 

Also, when you add the second address, are you specifying which IP you want as primary?

 

set interfaces ge-0/0/0.0 family inet address 10.5.1.1/xx primary

set interfaces ge-0/0/0.0 family inet address 20.5.1.1/xx

SRX Services Gateway

Re: Adding 2 public IPs to SRX220h causes the site-site VPN go down

[ Edited ]
08.07.17   |  
‎08-07-2017 06:22 PM

Thank you very much. Adding "primary" did it Smiley Happy