View Only


This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  VPN behind a Router

    Posted 07-13-2021 06:38
    Hello , i have an SRX 320 But because of issues in getting the dedicated data line , our team has decided to use a shared router having a Public IP address

    What we are planning is to connect the SRX 320 ethernet port ( any port) to this router .

    Router has the Public IP .  Goal is to establish a VPN tunnel with AWS .

    So we have to use Dynamic VPN on SRX with aggresive mode ? Do we have to define the Public IP address of ROuter in  SRX VPN config or only the interface or device host ID ?

    ALso , will this VPN work only in one direction from our site >AWS 

    what is tunnel is down for some moment and AWS initiates the traffic . Wil it come up ?


  • 2.  RE: VPN behind a Router

    Posted 07-14-2021 17:02
    Sounds like you will have the SRX on a private ip address behind the publicly connected router.  Which would need to have a static ip for typical AWS site to site deploy.

    If the router with the public address has the ability to create vpn your best bet is to terminate it there.  I am pretty sure AWS site to site does not support the client aggressive on demand model but assumes infrastructure fixed ip address device to device.

    If the router is not an option, perhaps there is a second ip address in the static range that the router could nat forward to the SRX.  But for this to work AWS will need to support enabling nat traversal on the VPN options.  I'm not sure if that is a choice.

    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)

  • 3.  RE: VPN behind a Router

    Posted 07-15-2021 08:49
    I just checked and what Steve said looks to be correct.  Per Amazon AWS site - :

    "You must have an internet-routable IP address to use as the endpoint for the IPsec tunnels that connect your customer gateway device to the virtual private gateway. If a firewall is in place between the internet and your gateway, the rules in the following tables must be in place to establish the IPsec tunnels. The virtual private gateway addresses are in the configuration file."

    So that says that your VPN termination device ( in your case the SRX ) must have a Public IP.  

    ( aka Fryguy )

  • 4.  RE: VPN behind a Router

    Posted 07-15-2021 09:04
    Hi Jeff,
    I think steve didn't mention that srx which is behind an internet router should have an ip address.
    He said that router should be able to nat with a different public ip address other than its own interface ip.

    So srx can build the vpn by using the public ip of router and does not need to have its own public ip