ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

SSG20 site to site dynamic vpn dont work issue

‎12-10-2018 05:18 AM

Dear All,

i tired all senarios to make two SSG 20 to have site to site vpn using dynmaic ip address in site B, not no worthy. It works when both sites have fixed ip address but when Site B has dynamic ip address it doesnt work.

Site A public ip address 82.114.183.222 and its lan is 192.168.2.0/24.

Site B has dynamic public ip address and its lan is 192.168.4.0/24.

What is the wrong in the attached configuration???

Could you please share the best worked and guarnted configuration example?? i did exactly using juniper resources but doesnt work.!!!?

thanks to all.

Attachments

3 REPLIES 3
ScreenOS Firewalls (NOT SRX)

Re: SSG20 site to site dynamic vpn dont work issue

‎12-10-2018 09:12 AM

Site B has a private IP address.  As such, this would need to be NAT'd, and requires NAT-T.

Site B config:

set ike gateway "sana_Dynamic" address 82.114.183.222 Aggr local-id "aden.com" outgoing-interface "ethernet0/2"

set interface ethernet0/2 ip 192.168.44.254/24

 

Site A has NAT-T disabled though.

unset ike gateway "Aden_Dynamic" nat-traversal

 

Try enabling NAT-T on Site A.

 

ScreenOS Firewalls (NOT SRX)

Re: SSG20 site to site dynamic vpn dont work issue

‎12-10-2018 12:47 PM
Thanks rseibert for your kind replay. the ethernet0/2 of site B is connected to adsl modem having dynmaic public ip address, so, shall i proceed with what you advise or switch to policy based vpn as below link and do exactly the same.? will it works or there is something missing to do??? https://kb.juniper.net/InfoCenter/index?page=content&id=KB15076&actp=METADATA regards,
ScreenOS Firewalls (NOT SRX)

Re: SSG20 site to site dynamic vpn dont work issue

‎12-10-2018 12:55 PM

Route vs policy based doesn't matter for VPN establishment.  You would need NAT-T enabled for both.