SRX

Expand all | Collapse all

Vpn created behind NAT device

Jump to Best Answer
  • 1.  Vpn created behind NAT device

    Posted 04-20-2016 12:52

    There is a couple things I'm not getting. 

     

    I found a doc that says to add: set security ike gateway ike-gateway1 local-identity hostname juniper.net;

     

    But I don't know what side to put it on. Or if it goes on both sides.

     

    So if I'm doing this:

    FW1 -> FW2 -> INTERNET -> FW3 (where FW 2 is the NAT, and tunnel is configured between 1 and 3)

     

    It would look like this on both sides?:

    set security ike proposal ike-Test00-proposal authentication-method pre-shared-keys
    set security ike proposal ike-Test00-proposal dh-group group2
    set security ike proposal ike-Test00-proposal authentication-algorithm sha1
    set security ike proposal ike-Test00-proposal encryption-algorithm aes-128-cbc

    set security ike policy ike-Test00-policy mode main
    set security ike policy ike-Test00-policy proposals ike-Test00-proposal
    set security ike policy ike-Test00-policy pre-shared-key ascii-text elvisike123

    set security ike gateway gw-Test00 external-interface <outbound interface>
    set security ike gateway gw-Test00 ike-policy ike-Test00-policy
    set security ike gateway gw-Test00 address <public ip>

    set security ike gateway gw-Test00 local-identity hostname testvpn.fqdn.com

     

    I don't suppose anyone can point me to a doc that shows all of this in 1 place?

     



  • 2.  RE: Vpn created behind NAT device
    Best Answer

     
    Posted 04-20-2016 22:41

    Hello ,

     

    In this case its pritty simple . I hope that you do not have any Dynamic IP assigned to FW1 or FW3 , only thing here is that FW1 is behind a NAT device . So FW1 will have all the normal configuration  plus the following added config of "local identity "

     

    set security ike gateway gw-Test00 local-identity inet  <NAT Public IP of FW2 >

     

    You use local identity as hostname when we have dynamic or DHCP IP , if they all are static we can use  local identity inet and give public NAT IP of FW2 in FW1 .

     

    FW3 will have the gateway IP as the FW2 NAT IP . So FW3 will have normal configuration .



  • 3.  RE: Vpn created behind NAT device

    Posted 04-27-2016 09:08

    Thank you for the response. That makes perfect sense. I've been out that past several days once I get caught up on some things I'll try that config out.



  • 4.  RE: Vpn created behind NAT device

    Posted 05-04-2016 11:14

    What ports do I have to open to get the VPN to pass through FW2?

     

    I have UDP 500 and 4500. As well as protocol 50 and 51. 

     

    Am I missing any?



  • 5.  RE: Vpn created behind NAT device

     
    Posted 05-07-2016 04:55

    Yes, those are the only ports required for your VPN connection.

     

    If you are having problems getting the tunnel to come up see the verification section of this document for the troubleshooting commands.

     

    http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/ipsec-route-based-vpn-respndr-behind-nat-configuring.html



  • 6.  RE: Vpn created behind NAT device

    Posted 05-19-2016 12:45

    Alrighty. This tunnel is up and running. Thanks both of you for your input!