[j-nsp] Loopback VPN termination High End SRX

Dominik Rappaport Dominik.Rappaport at rappaport.at
Sat Jan 25 18:43:53 EST 2014 

Hi Morgan,

Loopback VPN termination in SRX cluster was officially introduced in Junos OS 12.1X44-D10

See Pathfinder:

http://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=5597&fn=Loopback+interface+for+chassis+cluster+VPN

This feature made it possible to associate lo0 interface with RG1+. As so far, VPN is only supported in A/P cluster, this means effectively you associate it to RG1.

Regards,
Dominik

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma? 
 
On Jan 23, 2014, at 12:26 AM, Morgan McLean wrote:

> I interpret that as them saying I can do it in RG1, but not RG0.
> 
> "lo0 pseudointerface can be configured in such a setup for RG1"
> 
> Can anyone else confirm?
> 
> Thanks!
> Morgan
> 
> 
> On Wed, Jan 22, 2014 at 2:19 PM, Bao Nguyen <ngqbao at gmail.com> wrote:
> 
>> This have been posted before but on the "high-end" SRX such as 3600 you
>> can not terminate IKE on lo0 [1]
>> 
>> "On branch SRX Series devices, the lo0 pseudointerface can be configured
>> in any redundancy group; for example, RG0, RG1, RG2, and so on. However, on
>> high-end SRX Series devices, the lo0 pseudointerface cannot be configured
>> in RG0 when it is used as an IKE gateway external interface. Because a VPN
>> is only supported in an active-passive HA environment on high-end SRX
>> Series devices, the lo0 pseudointerface can be configured in such a setup
>> for RG1. In a HA setup, the node on which the external interface is active
>> selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are
>> processed on that SPU. Thus an active external interface decides the anchor
>> SPU."
>> 
>> [1]
>> http://www.juniper.net/techpubs/en_US/junos12.1x45/topics/concept/security-loopback-interface-ha-for-vpn.html
>> 
>> -bn
>> 0216331C
>> 
>> 
>> On Wed, Jan 22, 2014 at 2:08 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>> 
>>> Hi all,
>>> 
>>> Quick question regarding terminating IKE on a lo0 interface on a 3600
>>> cluster.
>>> 
>>> 
>>> http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html
>>> 
>>> According to this, it mentions putting lo0 into an RG thats not 0, which
>>> is
>>> the one tied to RE and master node etc. Does anybody do this? Do you just
>>> assign lo0 to redundancy group say 2, and then it just works? Anything
>>> else
>>> we need to do? The VPN packets could come in over node 0 or node 1...so
>>> I'm
>>> not sure exactly how this helps.
>>> 
>>> --
>>> Thanks,
>>> Morgan
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> 
>> 
>> 
> 
> 
> -- 
> Thanks,
> Morgan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list