[j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Morgan McLean
wrx230 at gmail.com
Mon May 5 20:44:02 EDT 2014
Andy,
Assuming you have your own IP space, you put a public address on the
loopback. Whichever member is active for lo0 will handle the IPSEC if i
recall.
Theres some juniper docs on the details. ST0 will always be on which ever
node is primary.
Thanks,
Morgan
On Mon, May 5, 2014 at 5:37 PM, Andrew Jones <aj at jonesy.com.au> wrote:
> You don't need to do anything special to make the st0 interface redundant,
> it will always run on the active node.
>
>
> On 06.05.2014 08:38, Andy Litzinger wrote:
>
>> Hi Morgan,
>>
>> I presume that with regards to the loopback you are referring to the
>> external interface I use as my IPSec peer toward Amazon?
>>
>> what about the internal logical st interface that I need to create in
>> order
>> to route my internal traffic into the tunnel? How do I make that
>> redundant?
>>
>> thanks!
>> -andy
>>
>>
>> On Mon, May 5, 2014 at 3:30 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>>
>> Use your loopback and put that in a reth.
>>>
>>> Thanks,
>>> Morgan
>>>
>>>
>>> On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger <
>>> andy.litzinger.lists at gmail.com> wrote:
>>>
>>> Hi All,
>>>> Two related questions. I have a pair of SRX 3400s in an
>>>> Active/Passive
>>>> cluster. They rely on an external gateway for internet access (i.e. my
>>>> ISPs don't terminate on the SRXs). I am setting up redundant tunnels to
>>>> an
>>>> AWS VPC. Amazon has an example for J-Series (
>>>>
>>>> http://docs.aws.amazon.com/AmazonVPC/latest/
>>>> NetworkAdminGuide/Juniper.html
>>>> ),
>>>> but I don't think it's for a cluster set-up.
>>>>
>>>> Here are my questions:
>>>>
>>>> 1 - If I want to set up a redundant secure tunnel interface (e.g. st0),
>>>> should i bind it to an reth interface?
>>>>
>>>> 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC?
>>>> Any
>>>> tips or tricks you care to share?
>>>>
>>>> regards,
>>>> -andy
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>>
>>>
>>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list