[j-nsp] SRX-SRX IPSec multipoint with dynamic endpoints fails with new IP
Aaron Dewell
aaron.dewell at gmail.com
Mon Dec 17 16:53:14 EST 2012
Hello all,
So I have this hub-and-spoke multipoint VPN on various SRX240 firewalls. It's working generally, the problem is with the dynamic endpoints. When they shift IP addresses, the hub won't allow them to connect anymore because of the old state from the prior IP address.
Is this something that DPD (which is not configured) would solve? Is the another solution that would be better?
Below is the hub site configuration. The spokes look similar (except address instead of dynamic defining the hub's fixed IP and different external-interface). The hub is a cluster if that makes a difference.
Thanks for any insight!
Aaron
ike {
policy remotes {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text bla;
}
gateway SITEX {
ike-policy remotes;
dynamic inet WAN-SITEX-IP;
local-identity inet WAN-LOCAL-IP;
external-interface reth2.0;
}
}
ipsec {
policy remotes {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn SITEX {
bind-interface st0.0;
ike {
gateway SITEX;
ipsec-policy remotes;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
address WAN-LOCAL-IP/22;
}
}
More information about the juniper-nsp
mailing list