There is a couple things I'm not getting.
I found a doc that says to add: set security ike gateway ike-gateway1 local-identity hostname juniper.net;
But I don't know what side to put it on. Or if it goes on both sides.
So if I'm doing this:
FW1 -> FW2 -> INTERNET -> FW3 (where FW 2 is the NAT, and tunnel is configured between 1 and 3)
It would look like this on both sides?:
set security ike proposal ike-Test00-proposal authentication-method pre-shared-keysset security ike proposal ike-Test00-proposal dh-group group2set security ike proposal ike-Test00-proposal authentication-algorithm sha1set security ike proposal ike-Test00-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-Test00-policy mode mainset security ike policy ike-Test00-policy proposals ike-Test00-proposalset security ike policy ike-Test00-policy pre-shared-key ascii-text elvisike123
set security ike gateway gw-Test00 external-interface <outbound interface>set security ike gateway gw-Test00 ike-policy ike-Test00-policyset security ike gateway gw-Test00 address <public ip>
set security ike gateway gw-Test00 local-identity hostname testvpn.fqdn.com
I don't suppose anyone can point me to a doc that shows all of this in 1 place?
In this case its pritty simple . I hope that you do not have any Dynamic IP assigned to FW1 or FW3 , only thing here is that FW1 is behind a NAT device . So FW1 will have all the normal configuration plus the following added config of "local identity "
set security ike gateway gw-Test00 local-identity inet <NAT Public IP of FW2 >
You use local identity as hostname when we have dynamic or DHCP IP , if they all are static we can use local identity inet and give public NAT IP of FW2 in FW1 .
FW3 will have the gateway IP as the FW2 NAT IP . So FW3 will have normal configuration .
Thank you for the response. That makes perfect sense. I've been out that past several days once I get caught up on some things I'll try that config out.
What ports do I have to open to get the VPN to pass through FW2?
I have UDP 500 and 4500. As well as protocol 50 and 51.
Am I missing any?
Yes, those are the only ports required for your VPN connection.
If you are having problems getting the tunnel to come up see the verification section of this document for the troubleshooting commands.
Alrighty. This tunnel is up and running. Thanks both of you for your input!