For this setup to work you will need to verify that AWS has some features to configure on IPSEC. One definitely required and the other likely to be needed.
First is to enable the nat traversal feature of IPSEC. This is needed when the gateway address you are using is a public ip address but the physical device has a private one.
The second issue is to determine whether or not the router doing your nat has the ability to forward an inbound vpn request from AWS (not simply the reply to your SRX as initiator) to your device. Most routers and firewalls will only accept IPSEC traffic and process as themselves on ip addresses that physically exist on the device.
If you can forward this must be setup too so that AWS can be the initiator when it needs to.
If this cannot be setup, then AWS has to allow you to configure their side of the tunnel as responder only as a feature too.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 07-19-2021 04:50
From: ANUPAM GAUR
Subject: VPN behind a Router
Hi Steve
Can you help here .
The SRX is behind the Router; Router has only 1 public IP address on its external interface .
Can we still configure VPN between SRX and 3rdparty in cloud using Main Mode and this tunnel will work in both directions?
------------------------------
skywalker
Original Message:
Sent: 07-15-2021 07:21
From: ANUPAM GAUR
Subject: VPN behind a Router
Hi Steve ,
Thanks for the clarity ;
i am actually following the thread where you have explained
https://community.juniper.net/communities/community-home/digestviewer/viewthread?MID=73033
I have 3 queries :
If there is no Free Public IP , will this create a Problem ?
Also do we really need aggresive mode if we have static Public IP ?
Will this Tunnel work in both directions ? ( from traffic initiation point of view)
------------------------------
skywalker
Original Message:
Sent: 07-15-2021 05:59
From: STEVE PULUKA
Subject: VPN behind a Router
you will generally need another ip because most routers and firewalls are able to create vpn tunnels. So when a vpn packet arrives on an ip address physically configured on the device this is treated as traffic destined for the device and NOT transit traffic to be forwarded to someone else.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 07-15-2021 00:03
From: ANUPAM GAUR
Subject: VPN behind a Router
Thanks steve.
Yes SRX is behind A router . Vpn has to be build between srx and aws . The router is a shared router with other companies .
There is only 1 ip address on public interface of the router. I believe this is sufficient . Why we need a separate public ip ?
Nat-t should be enabled on router .
Is it also required on aws ?
We can build a vpn between srx and aws
Srx (srx)----router(public ip) ----- aws ( public ip)
------------------------------
skywalker
Original Message:
Sent: 07-14-2021 17:02
From: STEVE PULUKA
Subject: VPN behind a Router
Sounds like you will have the SRX on a private ip address behind the publicly connected router. Which would need to have a static ip for typical AWS site to site deploy.
If the router with the public address has the ability to create vpn your best bet is to terminate it there. I am pretty sure AWS site to site does not support the client aggressive on demand model but assumes infrastructure fixed ip address device to device.
If the router is not an option, perhaps there is a second ip address in the static range that the router could nat forward to the SRX. But for this to work AWS will need to support enabling nat traversal on the VPN options. I'm not sure if that is a choice.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Original Message:
Sent: 07-13-2021 06:38
From: ANUPAM GAUR
Subject: VPN behind a Router
Hello , i have an SRX 320 But because of issues in getting the dedicated data line , our team has decided to use a shared router having a Public IP address
What we are planning is to connect the SRX 320 ethernet port ( any port) to this router .
Router has the Public IP . Goal is to establish a VPN tunnel with AWS .
So we have to use Dynamic VPN on SRX with aggresive mode ? Do we have to define the Public IP address of ROuter in SRX VPN config or only the interface or device host ID ?
ALso , will this VPN work only in one direction from our site >AWS
what is tunnel is down for some moment and AWS initiates the traffic . Wil it come up ?
------------------------------
skywalker
------------------------------