Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I have recently been tasked to set up a VPN on an SRX300 to peer with our HQ Juniper firewall. Part of the requirement is that the SRX300 should be able to connect to HQ with different peer addresses as it will be moved to different locations around the country and still peer with HQ.
My main issue is that our HQ Firewall is locked down with security policies to allow only specific IP in. so Unless I specify the SRX300's gateway IP on the HQ. the VPN will not come up.
Is there a way that I can add a security rule to allow any incoming IKE packet from the SRX300's hostname whilst blocking every other incoming attempt?
Thanks in advance for your responses.
Referring to the attached config seen below, normally I would put the SRX300's IP in the address group ABC-VPN-GRP, but since the SRX300's address will be dynamically changing per new location, I cannot do this.The VPN only works when I add the line "set security ike gateway p1-customer-CompanyABC address 18.104.22.168"
Only the remote site will specify an ip address, not the static/HQ side. This will have only the matching host name. See this short example of the differences.