SRX Services Gateway
SRX Services Gateway

IPSec VPN using alternative IP

a month ago

I'm trying to create a new Site2site using an IP which is within the subnet for the external interface. For example:

External Interface

Reth5.10

10.1.1.1/24

But I'd like the local-address for the IKE gateway to be 10.1.1.2. I've managed this previously by creating a new vlan as below but stating within the IKE gateway to use external-interface of Reth5.10 and local-adress of 10.1.1.2:

Reth5.2

10.1.1.2/32

However, this doesn't appear to be working. Any thoughts on how to accomplish this? Currently running 15.1X49-D180.2 on SRX4100 cluster.

3 REPLIES 3
SRX Services Gateway

Re: IPSec VPN using alternative IP

a month ago

Update:

I think I've solved my problem by just adding the IP address directly to the external interface and marking the original IP of the interfaces as primary and preferred. VPN tunnel has come up, just need to confirm IKE renews at lifetime.

SRX Services Gateway

Re: IPSec VPN using alternative IP

a month ago

Y3rM4

 

In junos you can have more than one IP address on a single logical unit hence this scenario is supported. Just need to make sure to specify which address has to be used by the IKE process with the command you mentioned:

 

  • local-addressLocal IP address for IKE negotiations. Specify the local gateway address. Multiple addresses in the same address family can be configured on an external physical interface to a VPN peer. If this is the case, we recommend that local-address be configured.

 

Ref: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...

 

Using the primary and preferred addresses option is also useful and keep in mind you might need to hardcode the IKE IDs (local-identity and remote-identity):

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB28037&cat=JUNOS_PLATFORM&actp=LIST

 

I hope this information is helpful.

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: IPSec VPN using alternative IP

4 weeks ago

Even so, you could have an interface, in the same zone as your outside interface, and terminate your VPN on there. 

e.g. lets say ge-0/0/0.0 with 10.1.1.1 was your outside interface, and you wanted to terminate VPN to another interface (with a different IP) ge0/0/1.255 as 10.5.5.1 which is a sub-if on your inside network but in the same zone as ge-0/0/0.0.

 

As long as the peers could route to the 10.5.5.0 subnet and that the interfaces are in the same zones (i.e. outside zone), then vpn can be established on a virtual other interface.

JNCIE-SEC #252 | CCIE RS #45032