Re: Site to Site VPN between a SRX w/dynamic IP to SRX w/static IP

i just got dont doing this here are my scrub configs im leaving out the routing and such

my head end SRX-240

set interfaces st0 unit 10 description SOHO-10-
set security ike proposal SOHO-10 authentication-method pre-shared-keys
set security ike proposal SOHO-10 dh-group group2
set security ike proposal SOHO-10 authentication-algorithm sha-256
set security ike proposal SOHO-10 encryption-algorithm aes-256-cbc
set security ike proposal SOHO-10 lifetime-seconds 86400
set security ike policy SOHO-10 mode aggressive
set security ike policy SOHO-10 proposal-set compatible
set security ike policy SOHO-10 pre-shared-key ascii-text "yourkey here"
set security ike gateway SOHO-10 ike-policy SOHO-10
set security ike gateway SOHO-10 dynamic user-at-hostname "user@whateveryouwant.com"
set security ike gateway SOHO-10 dead-peer-detection always-send
set security ike gateway SOHO-10 dead-peer-detection interval 10
set security ike gateway SOHO-10 dead-peer-detection threshold 3
set security ike gateway SOHO-10 no-nat-traversal
set security ike gateway SOHO-10 local-identity user-at-hostname ""user@whateveryouwant.com"
set security ike gateway SOHO-10 external-interface vlan.0
set security ike gateway SOHO-10 version v1-only
set security ipsec proposal SOHO-10 protocol esp
set security ipsec proposal SOHO-10 authentication-algorithm hmac-sha1-96
set security ipsec proposal SOHO-10 encryption-algorithm aes-128-cbc
set security ipsec policy SOHO-10 perfect-forward-secrecy keys group2
set security ipsec policy SOHO-10 proposals SOHO-10
set security ipsec vpn SOHO-10 bind-interface st0.10
set security ipsec vpn SOHO-10 ike gateway SOHO-10
set security ipsec vpn SOHO-10 ike ipsec-policy SOHO-10
set security ipsec vpn SOHO-10 establish-tunnels on-traffic

set protocols ospf area 0.0.0.50 interface st0.10 interface-type p2p
set protocols ospf area 0.0.0.50 interface st0.10 authentication md5 1 key "your ospf key'"
set security ipsec vpn SOHO-10 bind-interface st0.10
set security zones security-zone VPN interfaces st0.10 host-inbound-traffic system-services all
set security zones security-zone VPN interfaces st0.10 host-inbound-traffic protocols all

set protocols ospf export direct-opsf
set protocols ospf export exportstatic1
set protocols ospf area 0.0.0.50 stub default-metric 1

set routing-options router-id 172.30.50.254

set routing-options static route 0.0.0.0/0 next-hop 172.30.x.x

the other side srx210

set snmp location "SOHO-10 home"
set security ike proposal SOHO-10 authentication-method pre-shared-keys
set security ike proposal SOHO-10 dh-group group2
set security ike proposal SOHO-10 authentication-algorithm sha-256
set security ike proposal SOHO-10 encryption-algorithm aes-256-cbc
set security ike proposal SOHO-10 lifetime-seconds 86400
set security ike policy SOHO-10 mode aggressive
set security ike policy SOHO-10 proposal-set compatible
set security ike policy SOHO-10 pre-shared-key ascii-text "yourkeyhere"
set security ike gateway SOHO-10 ike-policy SOHO-10
set security ike gateway SOHO-10 address 12.174.179.22
set security ike gateway SOHO-10 dead-peer-detection always-send
set security ike gateway SOHO-10 dead-peer-detection interval 10
set security ike gateway SOHO-10 dead-peer-detection threshold 3
set security ike gateway SOHO-10 no-nat-traversal
set security ike gateway SOHO-10 local-identity user-at-hostname "user@whateveryouwant.com"
set security ike gateway SOHO-10 remote-identity user-at-hostname "user@whateveryouwant.com"
set security ike gateway SOHO-10 external-interface ge-0/0/0.0
set security ike gateway SOHO-10 version v1-only
set security ipsec proposal SOHO-10 protocol esp
set security ipsec proposal SOHO-10 authentication-algorithm hmac-sha1-96
set security ipsec proposal SOHO-10 encryption-algorithm aes-128-cbc
set security ipsec policy SOHO-10 perfect-forward-secrecy keys group2
set security ipsec policy SOHO-10 proposals SOHO-10
set security ipsec vpn SOHO-10 bind-interface st0.0
set security ipsec vpn SOHO-10 ike gateway SOHO-10
set security ipsec vpn SOHO-10 ike ipsec-policy SOHO-10
set security ipsec vpn SOHO-10 establish-tunnels immediately

set interfaces st0 unit 0 family inet

set routing-options static route 10.0.0.0/8 next-hop st0.0
set routing-options static route 172.30.0.0/17 next-hop st0.0

set protocols ospf area 0.0.0.50 stub
set protocols ospf area 0.0.0.50 interface st0.0 interface-type p2p
set protocols ospf area 0.0.0.50 interface st0.0 authentication md5 1 key "ospfkey"

set security ipsec vpn SOHO-10 bind-interface st0.0

set security zones security-zone VPN interfaces st0.0

set routing-instances vpn-instance routing-options static route 0.0.0.0/0 next-hop st0.0

set routing-instances vpn-instance instance-type forwarding

this force all user traffic over the VPN.

set firewall filter ALL_TRAFFIC_TO_VPN term 1 from source-address 172.30.x.x/29
set firewall filter ALL_TRAFFIC_TO_VPN term 1 then routing-instance vpn-instance
set firewall filter ALL_TRAFFIC_TO_VPN term 2 then accept

the following is the same on both sides

set security policies from-zone CORE to-zone VPN policy CORE-TO-VPN match source-address any
set security policies from-zone CORE to-zone VPN policy CORE-TO-VPN match destination-address any
set security policies from-zone CORE to-zone VPN policy CORE-TO-VPN match application any
set security policies from-zone CORE to-zone VPN policy CORE-TO-VPN then permit
set security policies from-zone VPN to-zone CORE policy VPN-TO-CORE match source-address any
set security policies from-zone VPN to-zone CORE policy VPN-TO-CORE match destination-address any
set security policies from-zone VPN to-zone CORE policy VPN-TO-CORE match application any
set security policies from-zone VPN to-zone CORE policy VPN-TO-CORE then permit
set security policies from-zone VPN to-zone CORE policy SCCM-In-VPN match source-address SCCM
set security policies from-zone VPN to-zone CORE policy SCCM-In-VPN match destination-address any
set security policies from-zone VPN to-zone CORE policy SCCM-In-VPN match application SMB-SCCM
set security policies from-zone VPN to-zone CORE policy SCCM-In-VPN match application RPC-SCCM
set security policies from-zone VPN to-zone CORE policy SCCM-In-VPN then permit
set security policies from-zone VPN to-zone VPN policy VPN-TO-VPN match source-address any
set security policies from-zone VPN to-zone VPN policy VPN-TO-VPN match destination-address any
set security policies from-zone VPN to-zone VPN policy VPN-TO-VPN match application any
set security policies from-zone VPN to-zone VPN policy VPN-TO-VPN then permit
set security policies from-zone CORE to-zone MPLS policy CORE-TO-MPLS match source-address any
set security policies from-zone CORE to-zone MPLS policy CORE-TO-MPLS match destination-address any
set security policies from-zone CORE to-zone MPLS policy CORE-TO-MPLS match application any
set security policies from-zone CORE to-zone MPLS policy CORE-TO-MPLS then permit
set security policies from-zone MPLS to-zone CORE policy MPLS-TO-CORE match source-address any
set security policies from-zone MPLS to-zone CORE policy MPLS-TO-CORE match destination-address any
set security policies from-zone MPLS to-zone CORE policy MPLS-TO-CORE match application any
set security policies from-zone MPLS to-zone CORE policy MPLS-TO-CORE then permit
set security policies from-zone VPN to-zone MPLS policy VPN-TO-MPLS match source-address any
set security policies from-zone VPN to-zone MPLS policy VPN-TO-MPLS match destination-address any
set security policies from-zone VPN to-zone MPLS policy VPN-TO-MPLS match application any
set security policies from-zone VPN to-zone MPLS policy VPN-TO-MPLS then permit
set security policies from-zone MPLS to-zone VPN policy MPLS-TO-VPN match source-address any
set security policies from-zone MPLS to-zone VPN policy MPLS-TO-VPN match destination-address any
set security policies from-zone MPLS to-zone VPN policy MPLS-TO-VPN match application any
set security policies from-zone MPLS to-zone VPN policy MPLS-TO-VPN then permit
set security policies from-zone CORE to-zone CORE policy CORE-TO-CORE match source-address any
set security policies from-zone CORE to-zone CORE policy CORE-TO-CORE match destination-address any
set security policies from-zone CORE to-zone CORE policy CORE-TO-CORE match application any
set security policies from-zone CORE to-zone CORE policy CORE-TO-CORE then permit
set security zones security-zone CORE host-inbound-traffic system-services all
set security zones security-zone CORE host-inbound-traffic protocols all
set security zones security-zone CORE interfaces vlan.1 host-inbound-traffic system-services all
set security zones security-zone CORE interfaces vlan.1 host-inbound-traffic protocols all
set security zones security-zone CORE interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone CORE interfaces lo0.0 host-inbound-traffic protocols all
set security zones security-zone MPLS host-inbound-traffic system-services https
set security zones security-zone MPLS host-inbound-traffic system-services ike
set security zones security-zone MPLS interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone MPLS interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone MPLS interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone MPLS interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone MPLS interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone VPN host-inbound-traffic system-services all
set security zones security-zone VPN host-inbound-traffic protocols all
set security zones security-zone VPN interfaces st0.0

i use the OSFP over the tunlle to bing in the SOHO local network so i dont need static routes on the SRX-240 to each ST0.x interface

also help know what tunnle are up with show ospf nei since the SRX bug will always show up

these SOHO boxes can beplug into any internet connect and will come up, so long as the local modem dont block the IKE or ESP traffic

do

show security ipsec inactive-tunnels
Feb 03 16:48:46
  Total inactive tunnels: 0
  Total inactive tunnels with establish immediately: 0

that cammand with help a lot