SRX Services Gateway
SRX Services Gateway

IPSec VPN using alternative IP

‎08-20-2019 06:45 AM

I'm trying to create a new Site2site using an IP which is within the subnet for the external interface. For example:

External Interface


But I'd like the local-address for the IKE gateway to be I've managed this previously by creating a new vlan as below but stating within the IKE gateway to use external-interface of Reth5.10 and local-adress of


However, this doesn't appear to be working. Any thoughts on how to accomplish this? Currently running 15.1X49-D180.2 on SRX4100 cluster.

SRX Services Gateway

Re: IPSec VPN using alternative IP

‎08-20-2019 07:39 AM


I think I've solved my problem by just adding the IP address directly to the external interface and marking the original IP of the interfaces as primary and preferred. VPN tunnel has come up, just need to confirm IKE renews at lifetime.

SRX Services Gateway

Re: IPSec VPN using alternative IP

‎08-20-2019 10:48 PM



In junos you can have more than one IP address on a single logical unit hence this scenario is supported. Just need to make sure to specify which address has to be used by the IKE process with the command you mentioned:


  • local-addressLocal IP address for IKE negotiations. Specify the local gateway address. Multiple addresses in the same address family can be configured on an external physical interface to a VPN peer. If this is the case, we recommend that local-address be configured.




Using the primary and preferred addresses option is also useful and keep in mind you might need to hardcode the IKE IDs (local-identity and remote-identity):


I hope this information is helpful.


Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: IPSec VPN using alternative IP

‎08-23-2019 10:29 AM

Even so, you could have an interface, in the same zone as your outside interface, and terminate your VPN on there. 

e.g. lets say ge-0/0/0.0 with was your outside interface, and you wanted to terminate VPN to another interface (with a different IP) ge0/0/1.255 as which is a sub-if on your inside network but in the same zone as ge-0/0/0.0.


As long as the peers could route to the subnet and that the interfaces are in the same zones (i.e. outside zone), then vpn can be established on a virtual other interface.

JNCIE-SEC #252 | CCIE RS #45032