Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hello ladies & gets,
I am new in Juniper and generally JunOS but I found it easier to learn, so in order to make my first steps with the real deal -SRX- I got firstly vSRX in order to test some things. One of them is IPSec Site to Site VPN.
I ve got to try this with two different home modem - routers...lets say the one in Antartica and the other in Arctic, with VMware Workstation as my platform and I put my VMs on Bridged mode. For testing purposes I supposedly accept my 2 different dynamic IPs as static IPs...
I used as my guide this one:
and because I stack in the logic of
I consider reading this:
As necessary in order to continue...Is it really necessary to make this routing from pp0.0 or we can just use the above logic with better configuration?
I wrote some questions in order to get this better!
*r.s. = real scenario
Please find the answer to your queries in the above post as below:-
1. set interfaces ge-0/0/3 unit 0 family inet address 126.96.36.199/30 <--in r.s.* this interface is our default gateway?192.168.1.1?
Yes, In R.S. This is your default gateway interface (connected to the modem/ router).
2. set interfaces st0 unit 0 family inet address 10.11.11.10/24<--in r.s. this is our virtual ip?Right?We can set is as we want?
Yes, This is a virtual IP and you can set it as you want or you can even leave this interface without an IP address (unnumbered) but you will have to atleast configure "family inet" for this interface to work. Also you will have to assign this interface to a security zone.
3. set routing-options static route 0.0.0.0/0 next-hop 188.8.131.52<--Which is the role of 184.108.40.206 and what is its logic connection to 220.127.116.11?
This is the default route which should be present on the SRX to send all the traffic from SRX to the next hop. 18.104.22.168 is your next hop IP address ( In R.S. it should be the IP address of the router/modem connecting to the SRX). When you use PPPoE interface, generally the default route is also learned through PPPoE and in such case you will not have to configure the above route but if it is not learned through PPPoE then you have to configure the route as "set routing-options static route 0.0.0.0/0 next-hop pp0.0".
set routing-options static route 192.168.168.0/24 next-hop st0.0 - This route is for specifying the encryption domain of the VPN tunnel. This route will mean that if any traffic on SRX comes to go to the destination 192.168.168.0/24 then it has to go over the tunnel interface st0.0. (192.168.168.0/24 is the remote subnet which should be accessible on the VPN tunnel).
Hence as i have answered the query no. 3 if the default route is already present on SRX learnt through PPPoE then you do not need the route set routing-options static route 0.0.0.0/0 next-hop pp0.0 else you will need it.
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂
I am the same user...I just had to create new account after login problem.
First of all thank you very much for your reply! After that I tried all these days to run it! Again and again...but I am stack! So I uploaded to you the two configurations of SRX-A and SRX-B...please check them.
I don't know if there is anything wrong...cause I always get on:
show security ike security-associations
1) Has NAT anything to do with that scenario?
2)I noticed something strange: I have 3 PCs...when I load the image of vSRX in the one of them...there will be no ge-0/0 interfaces at all...so even if I edit the configuration in order assign an IP address on ge...this will be lost cause there is no interface that exists! Logical right? ButI use the same settings on the three of them...I mean the same number of network interfaces of VMware Workstation...why is this happening?