I have explained How to configure Site to Site IPSec VPN in Juniper SSG with one side dynamic IP in my previous articles.Now I here am going to explain how to configure and implement Juniper SRX to SSG – Dynamic site to site IPSec VPN.Dynamic site to site VPN is type of IPSec VPN having one side Dynamic IP address or DHCP to the interface facing internet and static IP address in another side.
I have configured the VPN tunnel 1 interface in SSG device. you can bind it in different zone than trust zone as your desire.
The destination network is routed with the tunnel 1 interface to reach another side SSG through the internet cloud which is attached to the Phase-II VPN.
The traffic passing through the internet cloud becomes encrypted to protect the unauthorized access of data.
CLI Procedure: I most like to prefer this way to configure Juniper device. For route of tunnel traffic, next-hop would be normally the gateway ip address of peer device but here st0.0 has been specified as there is not defined the IP address in tunnel interface of peer Device.
Some facts behind the Dynamic site to site IPSec VPN Dynamic site to site Ipsec VPN Network Scenario In above scenario, there is static IP address in SRX side and Dynamic IP address in SSG side.
For this scenario, I have used Junos 11.4 for SRX device and screen OS 6.3.0r8.0 in SSG device.SSG has dynamic IP to the interface facing internet/WAN.All the configuration steps here are based on the VPN parameters listed in above table.To separate the security policies for non-VPN and VPN traffic, the secure tunnel can be assigned in different zone named than the WAN and LAN zone but I assigned in LAN zone for easy to configure policies.IKE must be defined as host-inbound system services in internet facing zone (WAN) to establish the IKE negotiations between VPN peer devices.Boosting is free and a great way to give back to models.