[j-nsp] Loopback VPN termination High End SRX
Bao Nguyen
ngqbao at gmail.com
Wed Jan 22 17:19:54 EST 2014
This have been posted before but on the "high-end" SRX such as 3600 you can
not terminate IKE on lo0 [1]
"On branch SRX Series devices, the lo0 pseudointerface can be configured in
any redundancy group; for example, RG0, RG1, RG2, and so on. However, on
high-end SRX Series devices, the lo0 pseudointerface cannot be configured
in RG0 when it is used as an IKE gateway external interface. Because a VPN
is only supported in an active-passive HA environment on high-end SRX
Series devices, the lo0 pseudointerface can be configured in such a setup
for RG1. In a HA setup, the node on which the external interface is active
selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are
processed on that SPU. Thus an active external interface decides the anchor
SPU."
[1]
http://www.juniper.net/techpubs/en_US/junos12.1x45/topics/concept/security-loopback-interface-ha-for-vpn.html
-bn
0216331C
On Wed, Jan 22, 2014 at 2:08 PM, Morgan McLean <wrx230 at gmail.com> wrote:
> Hi all,
>
> Quick question regarding terminating IKE on a lo0 interface on a 3600
> cluster.
>
>
> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html
>
> According to this, it mentions putting lo0 into an RG thats not 0, which is
> the one tied to RE and master node etc. Does anybody do this? Do you just
> assign lo0 to redundancy group say 2, and then it just works? Anything else
> we need to do? The VPN packets could come in over node 0 or node 1...so I'm
> not sure exactly how this helps.
>
> --
> Thanks,
> Morgan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list