Hello all,
So I have this hub-and-spoke multipoint VPN on various SRX240 firewalls. It's
working generally, the problem is with the dynamic endpoints. When they shift
IP addresses, the hub won't allow them to connect anymore because of the old
state from the prior IP address.
Is this something that DPD (which is not configured) would solve? Is the
another solution that would be better?
Below is the hub site configuration. The spokes look similar (except address
instead of dynamic defining the hub's fixed IP and different
external-interface). The hub is a cluster if that makes a difference.
Thanks for any insight!
Aaron
ike {
policy remotes {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text bla;
}
gateway SITEX {
ike-policy remotes;
dynamic inet WAN-SITEX-IP;
local-identity inet WAN-LOCAL-IP;
external-interface reth2.0;
}
}
ipsec {
policy remotes {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn SITEX {
bind-interface st0.0;
ike {
gateway SITEX;
ipsec-policy remotes;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
address WAN-LOCAL-IP/22;
}
}
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
