Multiple VPN's on SRX240

  • Apologies if this seems simple but I have not really completed too much on VPN’s before.

    I have an SRX240 where I have configured a routed IPSec VPN that works fine to the far end location. No problems with it.
    For this I am utilising ge-0/0/0 as the untrusted interface connected to an ADSL line.

    We are having installed a second ADSL line that requires another IPSec tunnel to another end point.

    1: I only want to use the ge-0/0/0 interface for untrusted networks. Does this mean that I have to place a hub / switch between the SRX and the 2 x ADSL lines and route to the correct ADSL router? Or do I need to have a second interface, like ge-0/0/1 as an untrusted interface as well?

    2: Can multiple IPSec tunnels be utilised on the SRX240? I hope so as it is enterprise class. If so, do I bind the second virtual port to the required untrusted interface….so, for the working one I am using st0. Do I just create st1 for the new IPSec tunnel.

    Thanks for any help.

  • HI You can do multiple IPSEC vpn tunnels. This will work best with static IPs on both sides. Otherwise you will be required to create a virtual-router running 11.x software, a new security zone etc.

    I am assuming you are using NHTB with St0.0?

    The way this works, you would create a static route for the far-end gateway’s IP to route out the new ADSL modem, setup a new ike gateway and ipsec vpn, for that far end gateway, reference the new ge-0/0/1 interface for this VPN, and do your NHTB settings under st0.0. This should create a new VPN tunnel and force the traffic to use the second ADSL modem. In the off-chance that this is not a static IP or is a persistent IP, you will have to create a virtual-router, put a static IP in the virtual-router, and make sure you are running 11.x code. Then you can bind your IKE gateway to an interface that lives in a vr other then inet.0

    Hope this helps to start with!


  • Apologies, have probably worded this wrong……

    Need to set up a second VPN to allow dynamic access from multiple locations. Whats the best way to achieve this via 1 port untrusted and 2 x ADSL lines?