[j-nsp] ike túnnel termination on 5800s

Alex Arseniev alex.arseniev at gmail.com
Thu Apr 4 05:55:54 EDT 2013 

Loopback interface for chassis cluster VPN-This feature is supported on all 
high-end SRX Series devices.
An Internet Key Exchange (IKE) gateway needs an external interface to 
communicate with a peer device. In a chassis cluster setup, the node on 
which the external interface is active selects a Services Processing Unit 
(SPU) to support the VPN tunnel. IKE and IPsec packets are processed on that 
SPU. Therefore, the active external interface determines the anchor SPU.

In a chassis cluster setup, this external interface can be the redundant 
Ethernet interface or a standalone interface. These interfaces can go down 
when the physical interfaces are down. Therefore, loopback interfaces can be 
used to reach the peer gateway because the loopback interfaces are alternate 
physical interfaces.

This feature allows the loopback interface to be configured for any 
redundancy group. This redundancy group configuration is only checked for 
VPN packets, because only VPN packets must find the anchor SPU through the 
active interface.

On high-end SRX Series devices, the lo0 pseudointerface cannot be configured 
in RG0 when it is used as an IKE gateway external interface. Because a VPN 
is only supported in an active/passive chassis cluster environment on 
high-end SRX Series devices, the lo0 pseudointerface can be configured in 
such a setup for RG1. In a chassis cluster setup, the node on which the 
external interface is

https://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/topic-collections/release-notes/12.1x44-d10/topic-72756.html#jd0e7482
Thanks
Alex

----- Original Message ----- 
From: "OBrien, Will" <ObrienH at missouri.edu>
To: "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Wednesday, April 03, 2013 9:12 PM
Subject: [j-nsp] ike túnnel termination on 5800s


> Hey guys, I'm building a new cluster of SRX 5800s and prepping to move 
> several VPN tunnels to it. All of them are ike/ipsec.
>
> I built a test site on a SRX210 and configured a tunnel between it and my 
> cluster. My tunnels aren't coming up on the 5800 side at all.
> I'm using Agg Eth interfaces on each chassis cluster member since they are 
> in diverse locations and the ciscos they connect to aren't configured for 
> VPC pairing.
>
> Basically, I've got a 20Gb Agg link up and down from each cluster member. 
> Up heads to my DMZ/Internet and Down goes to the client core. (and a 20Gb 
> lane between the cluster members)
>
> In checking my documentation on VPN tunnels, I found this gem:
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB19829&actp=search&viewlocale=en_US&searchid=1365002153257
>
> Apparently, high end SRX isn't supporting IKE unless it's via a RETH 
> interface. <RANT> WHAT THE FREAKING HELL</RANT>
>
> So, after some work with JTAC to validate my working plan, we configured 
> our agg links as reth interfaces, which have two members off the same 
> chassis to work around the restriction.
>
> I now have tunnels talking to my new "reth" interfaces, but I'm incredibly 
> displeased that I can't just terminate those on a loopback.
>
>
> Are there any angles I'm missing on this? I can mostly live with the 
> altered configuration. Luckily I planned to transition my vpn tunnels 
> first, so I was able to reconfigure my DMZ uplinks without incurring an 
> outage.
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list