[j-nsp] Loopback VPN termination High End SRX

Morgan McLean wrx230 at gmail.com
Wed Jan 22 18:26:55 EST 2014


I interpret that as them saying I can do it in RG1, but not RG0.

"lo0 pseudointerface can be configured in such a setup for RG1"

Can anyone else confirm?

Thanks!
Morgan


On Wed, Jan 22, 2014 at 2:19 PM, Bao Nguyen <ngqbao at gmail.com> wrote:

> This have been posted before but on the "high-end" SRX such as 3600 you
> can not terminate IKE on lo0 [1]
>
> "On branch SRX Series devices, the lo0 pseudointerface can be configured
> in any redundancy group; for example, RG0, RG1, RG2, and so on. However, on
> high-end SRX Series devices, the lo0 pseudointerface cannot be configured
> in RG0 when it is used as an IKE gateway external interface. Because a VPN
> is only supported in an active-passive HA environment on high-end SRX
> Series devices, the lo0 pseudointerface can be configured in such a setup
> for RG1. In a HA setup, the node on which the external interface is active
> selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are
> processed on that SPU. Thus an active external interface decides the anchor
> SPU."
>
> [1]
> http://www.juniper.net/techpubs/en_US/junos12.1x45/topics/concept/security-loopback-interface-ha-for-vpn.html
>
> -bn
> 0216331C
>
>
> On Wed, Jan 22, 2014 at 2:08 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>
>> Hi all,
>>
>> Quick question regarding terminating IKE on a lo0 interface on a 3600
>> cluster.
>>
>>
>> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html
>>
>> According to this, it mentions putting lo0 into an RG thats not 0, which
>> is
>> the one tied to RE and master node etc. Does anybody do this? Do you just
>> assign lo0 to redundancy group say 2, and then it just works? Anything
>> else
>> we need to do? The VPN packets could come in over node 0 or node 1...so
>> I'm
>> not sure exactly how this helps.
>>
>> --
>> Thanks,
>> Morgan
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


-- 
Thanks,
Morgan


More information about the juniper-nsp mailing list