SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX Site to Site Tunnels

    Posted 08-30-2009 23:34

    Hi All

     

    Has anyone setup a Site to Site Tunnel yet on the Srx Devices using a dynamic peer id between two srx units.

     

    I'm a little confused as all the documentation on the srx units for dynamic vpns point to user to unit dynamic vpn.



  • 2.  RE: SRX Site to Site Tunnels
    Best Answer

    Posted 08-31-2009 05:57

    I believe this is what you are looking for:

     

     

    Remote side:

     security {
        ike {
            traceoptions {
                file ike-trace;
                flag all;
            }
            policy ike-policy {
                mode aggressive;
                proposal-set standard;
                pre-shared-key ascii-text "$9$DojqfTQn/tOUjCu1IcSYgoJGi.PQ6Cu"; ## SECRET-DATA
            }
            gateway test-gw {
                ike-policy ike-policy;
                address xx.xx.xx.90;
                local-identity user-at-hostname "testvpn@lab.com";
                external-interface fe-0/0/7;
            }
        }
        ipsec {
            traceoptions {
                flag all;
            }
            policy ipsec-policy {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposal-set standard;
            }
            vpn test-vpn {
                bind-interface st0.0;
                ike {
                    gateway test-gw;
                    ipsec-policy ipsec-policy;
                }
                establish-tunnels immediately;
            }
        }

     

    in this config my public IP was handed out via DHCP

     

     

    Core side:

        ike {
            traceoptions {
                file ike-trace;
                flag all;
            }
            policy ike-policy {
                mode aggressive;
                proposal-set standard;
                pre-shared-key ascii-text "$9$82qLNbsYoJDkWLGi.mTQcylKMX-VYaGi"; ## SECRET-DATA
            }
            gateway test-gw {
                ike-policy ike-policy;
                dynamic user-at-hostname "testvpn@lab.com";
                external-interface fe-0/0/7;
            }
        }
        ipsec {
            traceoptions {
                flag all;
            }
            policy ipsec-policy {
                perfect-forward-secrecy {
                    keys group2;
                }
                proposal-set standard;
            }
            vpn test-vpn {
                bind-interface st0.0;
                ike {
                    gateway test-gw;
                    ipsec-policy ipsec-policy;
                }
                establish-tunnels immediately;
            }
        }

     

     

    These are the tunnel configs I used when I tested this -- the Remote side got a public IP via DHCP; the core side was statically defined

     

    let me know if this is what you are looking for.

     

    Cheers,

     

    Will



  • 3.  RE: SRX Site to Site Tunnels

    Posted 08-31-2009 06:19
    Yes Thank you that is what I'm looking for.


  • 4.  RE: SRX Site to Site Tunnels

    Posted 12-28-2011 18:05
    Hi all,

    Is license required for this?


  • 5.  RE: SRX Site to Site Tunnels

    Posted 01-01-2012 11:40

    I don't think this uses any licenses.



  • 6.  RE: SRX Site to Site Tunnels

    Posted 01-01-2012 13:02
    @michael.saw wrote:
    Hi all,

    Is license required for this?


    To the best of my knowledge only Dynamic VPN connections require licenses.

     

    Thanks.