Hello Community,
I have recently been tasked to set up a VPN on an SRX300 to peer with our HQ Juniper firewall. Part of the requirement is that the SRX300 should be able to connect to HQ with different peer addresses as it will be moved to different locations around the country and still peer with HQ.
My main issue is that our HQ Firewall is locked down with security policies to allow only specific IP in. so Unless I specify the SRX300's gateway IP on the HQ. the VPN will not come up.
Is there a way that I can add a security rule to allow any incoming IKE packet from the SRX300's hostname whilst blocking every other incoming attempt?
Thanks in advance for your responses.
Referring to the attached config seen below, normally I would put the SRX300's IP in the address group ABC-VPN-GRP, but since the SRX300's address will be dynamically changing per new location, I cannot do this.
The VPN only works when I add the line "set security ike gateway p1-customer-CompanyABC address 1.1.1.1"
HQ FW
set security ike proposal p1-proposal-CompanyABC-1 authentication-method pre-shared-keys
set security ike proposal p1-proposal-CompanyABC-1 dh-group group20
set security ike proposal p1-proposal-CompanyABC-1 authentication-algorithm sha-256
set security ike proposal p1-proposal-CompanyABC-1 encryption-algorithm aes-256-cbc
set security ike proposal p1-proposal-CompanyABC-1 lifetime-seconds 28800
set security ike policy p1-policy-cust-CompanyABC mode main
set security ike policy p1-policy-cust-CompanyABC proposals p1-proposal-CompanyABC-1
set security ike policy p1-policy-cust-CompanyABC pre-shared-key ascii-text "$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set security ike gateway p1-customer-CompanyABC ike-policy p1-policy-cust-CompanyABC
set security ike gateway p1-customer-CompanyABC address 1.1.1.1
set security ike gateway p1-customer-CompanyABC remote-identity hostname CompanyABC-networks.com
set security ike gateway p1-customer-CompanyABC external-interface ae1.3002
set security ike gateway p1-customer-CompanyABC version v2-only
set security ipsec vpn vpn-cust-CompanyABC ike gateway p1-customer-CompanyABC
set security ipsec vpn vpn-cust-CompanyABC ike ipsec-policy p2-policy-CompanyABC
set security ipsec proposal p2-proposal-CompanyABC protocol esp
set security ipsec proposal p2-proposal-CompanyABC authentication-algorithm hmac-sha-256-128
set security ipsec proposal p2-proposal-CompanyABC encryption-algorithm aes-256-cbc
set security ipsec proposal p2-proposal-CompanyABC lifetime-seconds 3600
set security ipsec policy p2-policy-CompanyABC perfect-forward-secrecy keys group19
set security ipsec policy p2-policy-CompanyABC proposals p2-proposal-CompanyABC
set security ipsec vpn vpn-cust-CompanyABC bind-interface st0.12
set security ipsec vpn vpn-cust-CompanyABC establish-tunnels immediately
set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match source-address ABC-VPN-GRP
set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match destination-address ABCFWP01
set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match application junos-ike
set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match application ipsec-500
set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN match application ipsec-1500
set security policies from-zone UNTRUST to-zone UNTRUST policy UNTRUST-TO-UNTRUST-ABC-VPN then permit
REMOTE SRX300
set security ike traceoptions file vpn-log
set security ike traceoptions flag all
set security ike proposal p1-base-proposal authentication-method pre-shared-keys
set security ike proposal p1-base-proposal dh-group group20
set security ike proposal p1-base-proposal authentication-algorithm sha-256
set security ike proposal p1-base-proposal encryption-algorithm aes-256-cbc
set security ike proposal p1-base-proposal lifetime-seconds 28800
set security ike policy p1-policy-CompanyABC proposals p1-base-proposal
set security ike policy p1-policy-CompanyABC pre-shared-key ascii-text "$xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
set security ike gateway p1-gateway-CompanyABC-dail-VPN ike-policy p1-policy-CompanyABC
set security ike gateway p1-gateway-CompanyABC-dail-VPN address 2.2.2.2
set security ike gateway p1-gateway-CompanyABC-dail-VPN local-identity hostname CompanyABC-networks.com
set security ike gateway p1-gateway-CompanyABC-dail-VPN external-interface ge-0/0/0.0
set security ike gateway p1-gateway-CompanyABC-dail-VPN version v2-only
set security ipsec vpn vpn-CompanyABC-cloud ike gateway p1-gateway-CompanyABC-dail-VPN
set security ipsec vpn vpn-CompanyABC-cloud ike ipsec-policy p2-base-policy
set security ipsec proposal p2-base-proposal protocol esp
set security ipsec proposal p2-base-proposal authentication-algorithm hmac-sha-256-128
set security ipsec proposal p2-base-proposal encryption-algorithm aes-256-cbc
set security ipsec proposal p2-base-proposal lifetime-seconds 3600
set security ipsec policy p2-base-policy perfect-forward-secrecy keys group19