SRX Services Gateway
Highlighted
SRX Services Gateway

Vpn created behind NAT device

‎04-20-2016 12:52 PM

There is a couple things I'm not getting. 

 

I found a doc that says to add: set security ike gateway ike-gateway1 local-identity hostname juniper.net;

 

But I don't know what side to put it on. Or if it goes on both sides.

 

So if I'm doing this:

FW1 -> FW2 -> INTERNET -> FW3 (where FW 2 is the NAT, and tunnel is configured between 1 and 3)

 

It would look like this on both sides?:

set security ike proposal ike-Test00-proposal authentication-method pre-shared-keys
set security ike proposal ike-Test00-proposal dh-group group2
set security ike proposal ike-Test00-proposal authentication-algorithm sha1
set security ike proposal ike-Test00-proposal encryption-algorithm aes-128-cbc

set security ike policy ike-Test00-policy mode main
set security ike policy ike-Test00-policy proposals ike-Test00-proposal
set security ike policy ike-Test00-policy pre-shared-key ascii-text elvisike123

set security ike gateway gw-Test00 external-interface <outbound interface>
set security ike gateway gw-Test00 ike-policy ike-Test00-policy
set security ike gateway gw-Test00 address <public ip>

set security ike gateway gw-Test00 local-identity hostname testvpn.fqdn.com

 

I don't suppose anyone can point me to a doc that shows all of this in 1 place?

 

5 REPLIES 5
Highlighted
SRX Services Gateway
Solution
Accepted by topic author sumcallmetim
‎05-19-2016 12:43 PM

Re: Vpn created behind NAT device

‎04-20-2016 10:40 PM

Hello ,

 

In this case its pritty simple . I hope that you do not have any Dynamic IP assigned to FW1 or FW3 , only thing here is that FW1 is behind a NAT device . So FW1 will have all the normal configuration  plus the following added config of "local identity "

 

set security ike gateway gw-Test00 local-identity inet  <NAT Public IP of FW2 >

 

You use local identity as hostname when we have dynamic or DHCP IP , if they all are static we can use  local identity inet and give public NAT IP of FW2 in FW1 .

 

FW3 will have the gateway IP as the FW2 NAT IP . So FW3 will have normal configuration .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Vpn created behind NAT device

‎04-27-2016 09:08 AM

Thank you for the response. That makes perfect sense. I've been out that past several days once I get caught up on some things I'll try that config out.

SRX Services Gateway

Re: Vpn created behind NAT device

‎05-04-2016 11:14 AM

What ports do I have to open to get the VPN to pass through FW2?

 

I have UDP 500 and 4500. As well as protocol 50 and 51. 

 

Am I missing any?

Highlighted
SRX Services Gateway

Re: Vpn created behind NAT device

‎05-07-2016 04:54 AM

Yes, those are the only ports required for your VPN connection.

 

If you are having problems getting the tunnel to come up see the verification section of this document for the troubleshooting commands.

 

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/ipsec-route-based-vpn-respndr-behind-...

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Vpn created behind NAT device

‎05-19-2016 12:44 PM

Alrighty. This tunnel is up and running. Thanks both of you for your input!

Feedback