SRX Services Gateway
SRX Services Gateway

How to establish the VPN on SRX 220

08.26.11   |  
‎08-26-2011 02:04 AM

Hi All


I need to configure Dynamic VPN. setup. I had connected two SRX back to back. First SRX 220 is acting as dual ISP load balanciing while second SRX 220 is acting as security check as well as VPN box(site to site,dynamicVPN). which is internally connected to server farm.


My problem is SRX 220 VPN firewall having local ip range on Untrust side. (i.e and so i can not form tunnel. I have Public IP address range available from both service provide. (i.e ISP1:- ,ISP2 :- I need to NAT one IP address from each ISP to each Untrust interface of SRX VPN box and create VPN tunnel . So that in case on ISP fail the automatically it will switchover to second ISP. Same time my internet traffic should work.


Please refer attach GIF for more clarification.



Hemant Shingane



SRX Services Gateway

Re: How to establish the VPN on SRX 220

08.26.11   |  
‎08-26-2011 02:35 AM

The VPN will not survive the static NAT. You can NAT-T one side of the VPN - the client for dynamic, or the branch for site-to-site - but your HQ needs to have an actual public IP.


It looks as if those /28 are used as the interconnect on your external interfaces, not routed to you.


That means you'll need to terminate your VPNs on the external SRX. I'm assuming you are still in flow mode on the external SRX so that NAT can take place there. If your design uses static routing and Juniper's multiple-VR setup for dual ISPs, then you'll need the ability to terminate IKE in a VR for the secondary connection. That was introduced with 11.1. Do take the caveats in these forums about that build into consideration, however. If you are using BGP, that is not a concern, as you would not need multiple VRs in that case.


The alternative would be to have your /28 ranges routed to you and use separate /30 or /31 interconnects on the external interfaces, so you can use your /28 towards the secondary SRX.


I am puzzled as to what you gain with this design. I'd have assumed you wanted to avoid needing separate Untrust interfaces in the "internal" SRX, since ECMP is not available (yet), but from your drawing, you have two links out from each SRX. What did this design gain you, then?