have an issue.
Need to set up an IPSEC VPN from Juniper SRX 240 to a third party, running PFSense firewall.
LAN subnet on my end is 10.0.0.0/24
The requirement is to have it NAT-ed (source NAT, dynamic ports) to 172.16.1.1/32 before sending into the IPSEC tunnel.
LAN subnet behind the remote PFSense is 192.168.1.0/24
I was wondering if I could create a virtual router, use it just for the purpose of NAT, and once NAT is done, to send it to current router?
The sequence should look like this:
10.0.0.0/24 -NAT- > 172.16.1.1/32 ->IPSEC tunnel -> 192.168.1.0/24
Thanks for your time!
Go to Solution.
As you have mentioned , you can nat the traffic first and send it to a VR , you may terminate the VPN on the interface
inside the VR and this should solve your problem.
However there are few points that you need to consider:
# The throuput would go down as for same traffic is traversing the SRX twice.
# The number of session would reduce.
# In short the overall efficiency of the SRX would reduce as for SRX traffic is doubled.
# It may work but Juniper doesn't support NAT on policy based VPN's so JTAC will not be able to move ahead on this issue.
You can connect to a policy vpn on the remote device while still configuring a route based vpn on the SRX. then you can apply nat to the vpn traffic without any extra configuration oddities.