SRX Services Gateway
SRX Services Gateway

SRX240 IPSec VPN design questions

‎07-06-2016 12:44 PM

Hello all,

 

We currently have about 80 (which could eventually reach 200+) remote sites using SRX100/110 devices that have route-based IPSec VPN tunnels back to a Palo Alto firewall.  All remote sites have dynamic IP addresses and use aggressive mode to connect.  We will be moving the tunnels off of the Palo Alto and onto a public facing SRX240.

 

I'm kind of looking for guidance on the most efficient way to program all of the tunnels on the SRX240.  I'm not completely familiar with setting up this many VPNs on a single Juniper so I could be doing more work than I should have to.  The sites should only be passing traffic to the SRX240 and do not need to talk to each other.  All sites use the exact same IKE/IPSec configuration and each shop has a unique /24 LAN subnet programmed but they all fall under the same /16 network.  The preshared key is the same for all sites and a unique user-at-hostname is used per shop.

 

  • Would it be best to use the multipoint command on the SRX240 st0.0 interface or assign a unique unit number for each shop?
  • Since all shops fall into the /16 subnet can I make one address book entry instead of a /24 for each shop?
  • Since they use unique user-at-hostname I assume I have to create IKE gateways for every single shop or is there a more efficient way to do this with an all Juniper setup?
  • Can I use only one IKE policy on the SRX240 since they all have the same encryption, mode and preshared key?
  • With dynamic VPN tunnels do you recommend VPN monitor?
  • Any other pitfalls I need to look out for or additional information needed for these questions?
Feedback