[j-nsp] ike túnnel termination on 5800s
Alex Arseniev
alex.arseniev at gmail.com
Thu Apr 4 05:55:54 EDT 2013
Loopback interface for chassis cluster VPN-This feature is supported on all
high-end SRX Series devices.
An Internet Key Exchange (IKE) gateway needs an external interface to
communicate with a peer device. In a chassis cluster setup, the node on
which the external interface is active selects a Services Processing Unit
(SPU) to support the VPN tunnel. IKE and IPsec packets are processed on that
SPU. Therefore, the active external interface determines the anchor SPU.
In a chassis cluster setup, this external interface can be the redundant
Ethernet interface or a standalone interface. These interfaces can go down
when the physical interfaces are down. Therefore, loopback interfaces can be
used to reach the peer gateway because the loopback interfaces are alternate
physical interfaces.
This feature allows the loopback interface to be configured for any
redundancy group. This redundancy group configuration is only checked for
VPN packets, because only VPN packets must find the anchor SPU through the
active interface.
On high-end SRX Series devices, the lo0 pseudointerface cannot be configured
in RG0 when it is used as an IKE gateway external interface. Because a VPN
is only supported in an active/passive chassis cluster environment on
high-end SRX Series devices, the lo0 pseudointerface can be configured in
such a setup for RG1. In a chassis cluster setup, the node on which the
external interface is
https://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/topic-collections/release-notes/12.1x44-d10/topic-72756.html#jd0e7482
Thanks
Alex
----- Original Message -----
From: "OBrien, Will" <ObrienH at missouri.edu>
To: "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Wednesday, April 03, 2013 9:12 PM
Subject: [j-nsp] ike túnnel termination on 5800s
> Hey guys, I'm building a new cluster of SRX 5800s and prepping to move
> several VPN tunnels to it. All of them are ike/ipsec.
>
> I built a test site on a SRX210 and configured a tunnel between it and my
> cluster. My tunnels aren't coming up on the 5800 side at all.
> I'm using Agg Eth interfaces on each chassis cluster member since they are
> in diverse locations and the ciscos they connect to aren't configured for
> VPC pairing.
>
> Basically, I've got a 20Gb Agg link up and down from each cluster member.
> Up heads to my DMZ/Internet and Down goes to the client core. (and a 20Gb
> lane between the cluster members)
>
> In checking my documentation on VPN tunnels, I found this gem:
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB19829&actp=search&viewlocale=en_US&searchid=1365002153257
>
> Apparently, high end SRX isn't supporting IKE unless it's via a RETH
> interface. <RANT> WHAT THE FREAKING HELL</RANT>
>
> So, after some work with JTAC to validate my working plan, we configured
> our agg links as reth interfaces, which have two members off the same
> chassis to work around the restriction.
>
> I now have tunnels talking to my new "reth" interfaces, but I'm incredibly
> displeased that I can't just terminate those on a loopback.
>
>
> Are there any angles I'm missing on this? I can mostly live with the
> altered configuration. Luckily I planned to transition my vpn tunnels
> first, so I was able to reconfigure my DMZ uplinks without incurring an
> outage.
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list