I'm a new bie. I have a problem with my topo when deploy VPN, topo is:
Datacenter: Inside_01 ---ge-0/0/1- SRX 345 -ge-0/0/0--- Modem_01 ---- Internet ---- ge-0/0/0- SRX 320 -ge-0/0/1--- Inside_02: Branch
I want to create VPN between 5 Sites Brachs to connect to Datacenter. Which kind of VPN I should use?
With topo above: what I have to do?
-1. Because IP between SRX and Modem is private IP, i can't using it to create connection --> So I have using NAT to IP Public on Modem, Can you guide to me the command to configure it and on VPN configuration.
- 2. My SRX-345 and SRX-320 are version: 15.1X49-D45. Is it ok for create VPN.
Once you forward the public address to the SRX you can use that for the gateway address for that side.
You can use either the route based or policy based vpn examples to setup the tunnel.
You will need to add the nat traversal option that let's the vpn know there is a gateway address nat in the path.
The rest of the configuration will be the same.
Thanks for your instructions!
More questions. I want to ask about the license and version software for srx. I have checked my version device is: 15.1X49-D45 and license is blank.
So to deploy VPN, which requie for device.
And with 5 - 10 branches connect to datacenter. Which VPN solution should use for best. (branch not communicate with each other)
I can comment on the license and version questions;
Please upgrade Junos to 15.1X49-D140 which is the latest JTAC recommended release (ref: https://kb.juniper.net/InfoCenter/index?page=content&id=kb21476)
Site-to-site VPNs does not require licenses on your device. Only endpoint client VPN and enhanced security features like Anti-virus, url-filtering and similar. There are two endpoint VPN client licenses included but support for this was first added from 15.1X49-D80. That's why you don't see them on your current version.
With your current requirements I would personally go for a route-based VPN as this tends to be a more simple setup.
I'll upgarde my device to new verison and use route-based VPN follow your instructions.
Thank you for your support!
Also note that when the remote side has a dynmaic ip address you will need to use the aggressive mode vpn for these connections. And the remote side will need to be initiator of traffic. You will see the examples of these in the vpn collection as well.
I can help you with the configuration, it should be simple, but it depends on the following information:
+Is the private IP address of SRX 345 dynamic? (Assigned via DHCP by the modem)
+Is the public IP address of the SRX 320 dynamic? (Assigned via DHCP by the ISP)
- IP private of SRX before Modem will be static.
- IP public maybe static and dynamic (depends on customer's contract with ISP). So can you guide to me both is best.