[j-nsp] Loopback VPN termination High End SRX

Phil Fagan philfagan at gmail.com
Tue Jan 28 16:30:10 EST 2014


Nice, so I"m looking at hash of IKE local:remote and what logical and
physical SPU it gets mapped too.  Makes sense because your RG0 is only
control and not data.

On Mon, Jan 27, 2014 at 4:21 AM, Mike Devlin <mikecdevlin at gmail.com> wrote:
> from the shell
>
> kmd -T source:destination
>
> the order doesnt matter,the hashing is the same if you reverse the IPs.  Use
> your phase 1 addresses
>
>
>
>
> On Sun, Jan 26, 2014 at 10:13 PM, Phil Fagan <philfagan at gmail.com> wrote:
>>
>> Looks like the keywords here are anchoring VPN to an SPU. I think this
>> involves the way RG mappings occur on SPU(s). Anyone with info/links on
>> that mapping please share.
>>
>>
>> On Wed, Jan 22, 2014 at 3:08 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>>
>> > Hi all,
>> >
>> > Quick question regarding terminating IKE on a lo0 interface on a 3600
>> > cluster.
>> >
>> >
>> >
>> > http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html
>> >
>> > According to this, it mentions putting lo0 into an RG thats not 0, which
>> > is
>> > the one tied to RE and master node etc. Does anybody do this? Do you
>> > just
>> > assign lo0 to redundancy group say 2, and then it just works? Anything
>> > else
>> > we need to do? The VPN packets could come in over node 0 or node 1...so
>> > I'm
>> > not sure exactly how this helps.
>> >
>> > --
>> > Thanks,
>> > Morgan
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>>
>>
>>
>> --
>> Phil Fagan
>> Denver, CO
>> 970-480-7618
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>



-- 
Phil Fagan
Denver, CO
970-480-7618


More information about the juniper-nsp mailing list