Hi everybody,
I need your help.
I try to configure IPSec sito to site VPN between Juniper SRX-240 and Mikrotik RB-951. Juniper SRX has static IP and Mikrotik has dynamic IP.
When I use IP addresses as peer ID no problem. But if I try to use FQDN as peer ID for Mikrotik (It has dynamic IP) tunnel not established.
Juniper SRX with Juniper SRX and Juniper SRX with D-Link DSR-150N work good.
Config SRX:
set security ike policy ike-policy-dhcp mode aggressive
set security ike policy ike-policy-dhcp proposal-set standard
set security ike policy ike-policy-dhcp pre-shared-key ascii-text "Secret_key"
set security ike gateway cpe-gate-cfgr ike-policy ike-policy-dhcp
set security ike gateway cpe-gate-cfgr dynamic hostname cpe.oscon.ua
set security ike gateway cpe-gate-cfgr external-interface vlan.300
set security ipsec policy ipsec-policy-dhcp perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-dhcp proposal-set standard
set security ipsec vpn ipsec-vpn-srx bind-interface st0.0
set security ipsec vpn ipsec-vpn-srx ike gateway cpe-gate-cfgr
set security ipsec vpn ipsec-vpn-srx ike ipsec-policy ipsec-policy-dhcp
set security ipsec vpn ipsec-vpn-srx establish-tunnels immediately
The problem was in Mikrotik. Mikrotik use only U-FQDN peer ID in format “xxx.@yyy.com” and Juniper can use FQDN and U-FQDN also. You must change command on Juniper :
Old command
“set security ike gateway cpe-gate-cfgr dynamic hostname cpe.oscon.ua”
New command
"set security ike gateway srx-gate-cfgr dynamic user-at-hostname “cpe@oscon.ua”
garysh,
Did you get it all sorted?
Im having major problems trying to establish it.
Same setup as you. Mikrotik with dynamic IP…Juniper SRX240 with static.
Are you configuring it as a route based or policy based on the SRX?
Keep getting a no proposal chosen alarm on both boxes.
I am trying to get an Juniper SRX ↔ Mikrotik site-to-site IPSEC running, Phase 1 is up, and Phase 2 is giving us a headache…no proposal chosen…
’
Thank you