[j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Ben Dale
bdale at comlinx.com.au
Mon May 5 20:50:20 EDT 2014
Further to Morgan and Andrew's comments, the st0 interface will follow whichever interface you have bound to the "external-interface" in your IKE Gateway configuration (ge-0/0/0.0 in the AWS example), so if you bind this to a reth (and have the st0 interface in the same redundancy group) you'll be golden.
On 6 May 2014, at 10:44 am, Morgan McLean <wrx230 at gmail.com> wrote:
> Andy,
>
> Assuming you have your own IP space, you put a public address on the
> loopback. Whichever member is active for lo0 will handle the IPSEC if i
> recall.
>
> Theres some juniper docs on the details. ST0 will always be on which ever
> node is primary.
>
> Thanks,
> Morgan
>
>
> On Mon, May 5, 2014 at 5:37 PM, Andrew Jones <aj at jonesy.com.au> wrote:
>
>> You don't need to do anything special to make the st0 interface redundant,
>> it will always run on the active node.
>>
>>
>> On 06.05.2014 08:38, Andy Litzinger wrote:
>>
>>> Hi Morgan,
>>>
>>> I presume that with regards to the loopback you are referring to the
>>> external interface I use as my IPSec peer toward Amazon?
>>>
>>> what about the internal logical st interface that I need to create in
>>> order
>>> to route my internal traffic into the tunnel? How do I make that
>>> redundant?
>>>
>>> thanks!
>>> -andy
>>>
>>>
>>> On Mon, May 5, 2014 at 3:30 PM, Morgan McLean <wrx230 at gmail.com> wrote:
>>>
>>> Use your loopback and put that in a reth.
>>>>
>>>> Thanks,
>>>> Morgan
>>>>
>>>>
>>>> On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger <
>>>> andy.litzinger.lists at gmail.com> wrote:
>>>>
>>>> Hi All,
>>>>> Two related questions. I have a pair of SRX 3400s in an
>>>>> Active/Passive
>>>>> cluster. They rely on an external gateway for internet access (i.e. my
>>>>> ISPs don't terminate on the SRXs). I am setting up redundant tunnels to
>>>>> an
>>>>> AWS VPC. Amazon has an example for J-Series (
>>>>>
>>>>> http://docs.aws.amazon.com/AmazonVPC/latest/
>>>>> NetworkAdminGuide/Juniper.html
>>>>> ),
>>>>> but I don't think it's for a cluster set-up.
>>>>>
>>>>> Here are my questions:
>>>>>
>>>>> 1 - If I want to set up a redundant secure tunnel interface (e.g. st0),
>>>>> should i bind it to an reth interface?
>>>>>
>>>>> 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC?
>>>>> Any
>>>>> tips or tricks you care to share?
>>>>>
>>>>> regards,
>>>>> -andy
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list