05.03.12   |  
‎05-03-2012 07:06 AM

I keep reading about using DDNS to get a end point device that gets assigned a dynamic address to connect with IPSEC VPN's. As I look into that I'm not so sure that is the best option. I can see it working well for a few branch offices trying to connect to a single hub. But, in a retail environment with 300 - 500 branches/stores that doesn't seem to me like a DynDNS would be best. I've also read an article about using a certificate assigned device. The point that scares me about that is the cert running out or being updated. A hiccup there could render all branches broken and devices would have to be replaced.


With that many branches, up to say 500, what would be the best way to make the setup of tunnels easier? Is there a way to allow the branch to be dynamical assigned an IP and still connect securely? What would it be able to work through a NAT being done by the provider device device?


       branch_srx210 ---> DSL/Cable modem --->Internet--->Corp_srx550


Currently everything we have setup is static to static. This is getting tougher to do and a pain to manage.

05.10.12   |  
‎05-10-2012 09:05 AM

I manage a vpn network like that, but with 5500 vpns endpoints.


We use different preshare keys and local id's on each site.  Been running smootly for 10 years now.


Anther option is using a group ike id on the hub and using radius to authenticate the remote points.

05.11.12   |  
‎05-11-2012 09:28 AM

You can also use "dynamic user-at-hostname" to identify the spoke sites, in this way the spoke WAN IP does not matter.


The catch 22 with this design is the tunnels can only be brought up from the spoke side.  This can be overcome with a small traffic generator on the spoke sites.


I have over 150 VPNs setup this way.  In my setups I have to use aggressive mode, and am always going though a NAT device.        SPOKE FWall -------------> Cust NAT Device -------------------> Hub Fwall


Sample Hub site Ike Gateway config below.


gateway XYZ-Ike-Gateway {
    ike-policy XYZ-Ike-Policy;
    dynamic user-at-hostname "XYZ@FQDN.COM";
    dead-peer-detection {
        interval 60;
        threshold 3;
    external-interface fe-0/0/6.0;


05.14.12   |  
‎05-14-2012 04:41 AM

Aggressive mode would be the best option. Tried and tested over years


