Hello
I'm trying to setup IPsec from one of our remote SRX1 with an LTE connection to our HQ SRX2
In my lab environment I have tried by first assigning a public dynamic address on SRX1 and it works even when the dynamic IP changes
[SRX1]=====[ LTE connection public dynamic IP] ==== [INTENET]===[SRX2]
But the actual production setup wont be having dynamic public IP instead it will be dynamic private IP with NAT
[SRX1]=====[ LTE connection private dynamic IP with NAT] ==== [INTENET]===[SRX2]
I have tried to follow this example
SRX but was not successful. Below is what I get
Note:
10.10.10.1
is the global IP after NAT
root@SRXHQ# run show security ike security-associations detail
IKE peer 10.10.10.1, Index 5149998, Gateway Name: N/A
Role: Responder, State: DOWN
Initiator cookie: 27a88bbe65f241bf, Responder cookie: a7b47f85c1167b5c
Exchange type: Any, Authentication method: Unknown
:500, Remote: 10.10.10.1:7
Peer ike-id: not available
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : (null)
Encryption : (null)
Pseudo random function: (null)
Diffie-Hellman group : unknown
Traffic statistics:
Input bytes : 460
Output bytes : 102
Input packets: 1
Output packets: 1
Flags: IKE SA is created
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Flags: IKE SA is created
root@SRXREMOTE# run show security ike security-associations detail
IKE peer 10.30.30.2, Index 3078681, Gateway Name: SRX-IKE-GATEWAY
Role: Initiator, State: DOWN
Initiator cookie: 27a88bbe65f241bf, Responder cookie: 0000000000000000
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: 172.16.0.3:500, Remote: 10.30.30.2:500
Peer ike-id: not available
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : (null)
Encryption : (null)
Pseudo random function: (null)
Diffie-Hellman group : unknown
Traffic statistics:
Input bytes : 0
Output bytes : 460
Input packets: 0
Output packets: 1
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 0
Configuration
root@SRXHQ# show security ike
proposal SRX-ISAKMP-PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy SRX-ISAKMP-POLICY {
mode aggressive;
proposals SRX-ISAKMP-PROPOSAL;
pre-shared-key ascii-text "$9$rS0Kv8Xx-g4Jk.hy"; ## SECRET-DATA
}
gateway SRX-IKE-GATEWAY {
ike-policy SRX-ISAKMP-POLICY;
dynamic user-at-hostname "user1@abc.com.au";
external-interface ge-0/0/0;
}
[edit]
root@SRXHQ#
root@SRXREMOTE# show security ike
proposal SRX-ISAKMP-PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy SRX-ISAKMP-POLICY {
mode aggressive;
proposals SRX-ISAKMP-PROPOSAL;
pre-shared-key ascii-text "$9$aNGUikqPn6C1R2o"; ## SECRET-DATA
}
gateway SRX-IKE-GATEWAY {
ike-policy SRX-ISAKMP-POLICY;
address 10.30.30.2;
local-identity user-at-hostname "user1@abc.com.au";
external-interface ge-0/0/0;
}
[edit]
root@SRXREMOTE#
Output from my NAT router
LTEPROVIDER#sh ip nat transl
Pro Inside global Inside local Outside local Outside global
udp 10.10.10.1:500 172.16.0.3:500 10.20.20.2:500 10.20.20.2:500
udp 10.10.10.1:500 172.16.0.3:500 10.30.30.2:500 10.30.30.2:500
udp 10.10.10.1:500 172.16.0.3:500 10.30.30.2:500 10.30.30.2:500
Will really appreciate some insight
------------------------------
Regards
Paul Basondole
------------------------------