SRX Services Gateway
Highlighted
SRX Services Gateway

SRX VPN loopback private address termination with static NAT

[ Edited ]
‎09-14-2018 04:34 PM

Hi Experts,

 

I have a SRX300 device running 15.1X49-D140.2.

 

I would like to create a route based aggressive mode VPN where this device will initiate the IPSec connection.  Can I initiate this VPN using a loopback with a private address?...and use static NAT for external public connectivity on this device.

Reason for this, to re-route this VPN to an adjacent router with public connectivity in case the SRX public connectivity has an issue.

 

I can get the IPSec tunnel to up state but don't have connectivity across.

 

If I change the external interface from lo0.x to externally facing IFD, remove static nat config, the connectivity works.

 

Couple of additional notes, I have a VR containing lo0.x and ge-0/0/0.x for external connectivity and another VR to terminate the st0.x interface.

Thanks in advance.

4 REPLIES 4
SRX Services Gateway

Re: SRX VPN loopback private address termination with static NAT

‎09-15-2018 05:34 AM

What is your static nat configuration?

Remember that traffic from the SRX is in the junos-host zone so any nat policy would need to be written to this zone.

 

I've never done nat for self traffic not sure if that is supported.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX VPN loopback private address termination with static NAT

‎09-15-2018 02:43 PM

static {

    rule-set TEST {

        from zone EXTERNAL;

        rule 1 {

            match {

                destination-address 10.0.0.0/32;

            }                           

            then {

                static-nat {

                    prefix {

                        172.16.0.0/32;

                    }

                }

            }

        }

    }

}

 

where 10/32 is the "public" IP address and 172.16/32 is lo0.x in a VR instance.  lo0.x and external facing interface are in EXTERNAL zone.

 

maybe source nat is more appropriate since this is the initiator side of IPSec tunnel.

 

maybe this approach is totally off as well Smiley Happy

 

thanks for your reply.

SRX Services Gateway

Re: SRX VPN loopback private address termination with static NAT

‎09-16-2018 04:04 AM

Sorry I missed this earlier.  You cannot do static nat with an interface address.  Static nat is a dedicated ip to ip mapping so the address cannot be in use for any other purpose.  It would need to be an address in the same subnet as the interface and setup with proxy arp.  Or an address routed to the srx interface directly.

 

So this would need to be destination nat.  And again I am not sure you can send that to an internal srx address or not.  I have always done it as transit traffic not self traffic.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: SRX VPN loopback private address termination with static NAT

‎09-16-2018 02:22 PM

No problem.  I appreciate the replies.