SRX VPN loopback private address termination with static NAT
[ Edited ]
I have a SRX300 device running 15.1X49-D140.2.
I would like to create a route based aggressive mode VPN where this device will initiate the IPSec connection. Can I initiate this VPN using a loopback with a private address?...and use static NAT for external public connectivity on this device.
Reason for this, to re-route this VPN to an adjacent router with public connectivity in case the SRX public connectivity has an issue.
I can get the IPSec tunnel to up state but don't have connectivity across.
If I change the external interface from lo0.x to externally facing IFD, remove static nat config, the connectivity works.
Couple of additional notes, I have a VR containing lo0.x and ge-0/0/0.x for external connectivity and another VR to terminate the st0.x interface.
Re: SRX VPN loopback private address termination with static NAT
Sorry I missed this earlier. You cannot do static nat with an interface address. Static nat is a dedicated ip to ip mapping so the address cannot be in use for any other purpose. It would need to be an address in the same subnet as the interface and setup with proxy arp. Or an address routed to the srx interface directly.
So this would need to be destination nat. And again I am not sure you can send that to an internal srx address or not. I have always done it as transit traffic not self traffic.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home