Thanks man, I've been able to successfully replicate and adapt your settings here. Interesting to see what needs to be changed if the IPSEC tunnel it's not being built over P2P link as in this example but over internet. And to make things more complicated, the WAN interface is pp0.0 and the public IP address changes. Would appreciate seeing such an example too!
Hello Vendetta, glad to hear you were able to successfully replicate the lab in your setup. I put both devices on the network in this lab environment to simulate a WAN scenario where both of the Public IPs would be reachable on the internet. Essentially swapping out the WAN interfaces with public IPs in a real scenario should work just fine, however its worth noting that if your configuring an IPsec vpn to a neighbor that doesn't have a static public IP and receives it's address via DHCP then you want to ensure that IKE tunnel mode is set to aggressive instead of main. Hope this helps!
An interesting "side effect" upon VPN configuration. In my case SRX-A has internet connectivity and subnets connected to SRX-B also had access to internet via SRX-A. After VPN setup internet connectivity failed for PCs on SRX-B. Default route towards P2P interface and specific route to SRX-A subnet via st0 as per VPN config.
Nice to hear you've taken the lab a step further :) - you're also right, setting the necessary routes are critical to ensure traffic is routed properly to the appreciate destination networks.
Turns out assimetric routing is the problem. Traffic leaving SRX-B via PTP link (ge, not st0) and returning from SRX-B via the st0, as per config. I suppose policy based routing (aka routing based on source) could solve this however did not have the time to try it.
what website are you using to precent the network layout
Hi, the platform used in the videos is an network emulation platform called "EVE-NG"
@@jongreenit thank you sir
Thanks man, I've been able to successfully replicate and adapt your settings here. Interesting to see what needs to be changed if the IPSEC tunnel it's not being built over P2P link as in this example but over internet. And to make things more complicated, the WAN interface is pp0.0 and the public IP address changes. Would appreciate seeing such an example too!
Hello Vendetta, glad to hear you were able to successfully replicate the lab in your setup. I put both devices on the network in this lab environment to simulate a WAN scenario where both of the Public IPs would be reachable on the internet. Essentially swapping out the WAN interfaces with public IPs in a real scenario should work just fine, however its worth noting that if your configuring an IPsec vpn to a neighbor that doesn't have a static public IP and receives it's address via DHCP then you want to ensure that IKE tunnel mode is set to aggressive instead of main. Hope this helps!
An interesting "side effect" upon VPN configuration. In my case SRX-A has internet connectivity and subnets connected to SRX-B also had access to internet via SRX-A. After VPN setup internet connectivity failed for PCs on SRX-B. Default route towards P2P interface and specific route to SRX-A subnet via st0 as per VPN config.
Nice to hear you've taken the lab a step further :) - you're also right, setting the necessary routes are critical to ensure traffic is routed properly to the appreciate destination networks.
Turns out assimetric routing is the problem. Traffic leaving SRX-B via PTP link (ge, not st0) and returning from SRX-B via the st0, as per config. I suppose policy based routing (aka routing based on source) could solve this however did not have the time to try it.
Thank you!
which Junos version are you using ? im not able to type the security zone command!!
Security zones and policies can only be configured on SRX devices. Is that what you’re using?
@@jongreenit thanks i got it !! btw which Junos technology is analogous compared to CISCO DMVPN tehnology?
@@dannjkt4890 Np, check out the ADVPN by Juniper :)
Hello, can i get your email ?
Let’s connect on LinkedIn: www.linkedin.com/in/jongreenit