SRX

Expand all | Collapse all

VPN behind a Router

  • 1.  VPN behind a Router

    Posted 11 days ago
    Hello , i have an SRX 320 But because of issues in getting the dedicated data line , our team has decided to use a shared router having a Public IP address

    What we are planning is to connect the SRX 320 ethernet port ( any port) to this router .

    Router has the Public IP .  Goal is to establish a VPN tunnel with AWS .

    So we have to use Dynamic VPN on SRX with aggresive mode ? Do we have to define the Public IP address of ROuter in  SRX VPN config or only the interface or device host ID ?

    ALso , will this VPN work only in one direction from our site >AWS 

    what is tunnel is down for some moment and AWS initiates the traffic . Wil it come up ?

    ------------------------------
    skywalker
    ------------------------------


  • 2.  RE: VPN behind a Router

    Posted 10 days ago
    Any one please​​

    ------------------------------
    skywalker
    ------------------------------



  • 3.  RE: VPN behind a Router

     
    Posted 10 days ago
    Sounds like you will have the SRX on a private ip address behind the publicly connected router.  Which would need to have a static ip for typical AWS site to site deploy.

    If the router with the public address has the ability to create vpn your best bet is to terminate it there.  I am pretty sure AWS site to site does not support the client aggressive on demand model but assumes infrastructure fixed ip address device to device.

    If the router is not an option, perhaps there is a second ip address in the static range that the router could nat forward to the SRX.  But for this to work AWS will need to support enabling nat traversal on the VPN options.  I'm not sure if that is a choice.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: VPN behind a Router

    Posted 10 days ago
    Thanks steve.

    Yes SRX is behind A router  . Vpn has to be build between srx and aws . The router is a shared router with other companies .

    There is only 1 ip address on public interface of the router. I believe this is sufficient . Why we need a separate public ip ?

    Nat-t should be enabled on router .

    Is it also required on aws ?

    We can build a vpn between srx and aws 

    Srx (srx)----router(public ip) ----- aws ( public ip)

    ​​

    ------------------------------
    skywalker
    ------------------------------



  • 5.  RE: VPN behind a Router

     
    Posted 9 days ago
    you will generally need another ip because most routers and firewalls are able to create vpn tunnels.  So when a vpn packet arrives on an ip address physically configured on the device this is treated as traffic destined for the device and NOT transit traffic to be forwarded to someone else.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 6.  RE: VPN behind a Router

    Posted 9 days ago
    Hi Steve ,

    Thanks for the clarity ;

    i am actually following the thread where you have explained
    https://community.juniper.net/communities/community-home/digestviewer/viewthread?MID=73033

    I have 3  queries :
    If there is no Free Public IP , will this create a Problem ?
    Also do we really need aggresive mode if we have static Public IP ?​
    Will this Tunnel work in both directions ? ( from traffic initiation point of view)

    ------------------------------
    skywalker
    ------------------------------



  • 7.  RE: VPN behind a Router

    Posted 6 days ago
    Hi Steve

    Can you help here .

    The SRX is behind the Router; Router has only 1 public IP address on its external interface .

    Can we still configure VPN between SRX and 3rdparty in cloud using Main Mode  and this tunnel will work in both directions?



    ------------------------------
    skywalker
    ------------------------------



  • 8.  RE: VPN behind a Router

     
    Posted 4 days ago
    For this setup to work you will need to verify that AWS has some features to configure on IPSEC.  One definitely required and the other likely to be needed.

    First is to enable the nat traversal feature of IPSEC.  This is needed when the gateway address you are using is a public ip address but the physical device has a private one.

    The second issue is to determine whether or not the router doing your nat has the ability to forward an inbound vpn request from AWS (not simply the reply to your SRX as initiator) to your device.  Most routers and firewalls will only accept IPSEC traffic and process as themselves on ip addresses that physically exist on the device.

    If you can forward this must be setup too so that AWS can be the initiator when it needs to.

    If this cannot be setup, then AWS has to allow you to configure their side of the tunnel as responder only as  a feature too.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------