[j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Andy Litzinger andy.litzinger.lists at gmail.com
Fri May 9 18:22:04 EDT 2014


Thanks for the help all.  The tunnels are up and working great.  I have to
schedule a maintenance window to verify that st follows the active cluster
member.  Assume it will work- i'll report back only if it doesn't  :)


On Mon, May 5, 2014 at 5:50 PM, Ben Dale <bdale at comlinx.com.au> wrote:

> Further to Morgan and Andrew's comments, the st0 interface will follow
> whichever interface you have bound to the "external-interface" in your IKE
> Gateway configuration (ge-0/0/0.0 in the AWS example), so if you bind this
> to a reth (and have the st0 interface in the same redundancy group) you'll
> be golden.
>
>
>
> On 6 May 2014, at 10:44 am, Morgan McLean <wrx230 at gmail.com> wrote:
>
> > Andy,
> >
> > Assuming you have your own IP space, you put a public address on the
> > loopback. Whichever member is active for lo0 will handle the IPSEC if i
> > recall.
> >
> > Theres some juniper docs on the details. ST0 will always be on which ever
> > node is primary.
> >
> > Thanks,
> > Morgan
> >
> >
> > On Mon, May 5, 2014 at 5:37 PM, Andrew Jones <aj at jonesy.com.au> wrote:
> >
> >> You don't need to do anything special to make the st0 interface
> redundant,
> >> it will always run on the active node.
> >>
> >>
> >> On 06.05.2014 08:38, Andy Litzinger wrote:
> >>
> >>> Hi Morgan,
> >>>
> >>> I presume that with regards to the loopback you are referring to the
> >>> external interface I use as my IPSec peer toward Amazon?
> >>>
> >>> what about the internal logical st interface that I need to create in
> >>> order
> >>> to route my internal traffic into the tunnel?  How do I make that
> >>> redundant?
> >>>
> >>> thanks!
> >>> -andy
> >>>
> >>>
> >>> On Mon, May 5, 2014 at 3:30 PM, Morgan McLean <wrx230 at gmail.com>
> wrote:
> >>>
> >>> Use your loopback and put that in a reth.
> >>>>
> >>>> Thanks,
> >>>> Morgan
> >>>>
> >>>>
> >>>> On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger <
> >>>> andy.litzinger.lists at gmail.com> wrote:
> >>>>
> >>>> Hi All,
> >>>>>  Two related questions.  I have a pair of SRX 3400s in an
> >>>>> Active/Passive
> >>>>> cluster.  They rely on an external gateway for internet access (i.e.
> my
> >>>>> ISPs don't terminate on the SRXs).  I am setting up redundant
> tunnels to
> >>>>> an
> >>>>> AWS VPC.  Amazon has an example for J-Series (
> >>>>>
> >>>>> http://docs.aws.amazon.com/AmazonVPC/latest/
> >>>>> NetworkAdminGuide/Juniper.html
> >>>>> ),
> >>>>> but I don't think it's for a cluster set-up.
> >>>>>
> >>>>> Here are my questions:
> >>>>>
> >>>>> 1 - If I want to set up a redundant secure tunnel interface (e.g.
> st0),
> >>>>> should i bind it to an reth interface?
> >>>>>
> >>>>> 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC?
> >>>>> Any
> >>>>> tips or tricks you care to share?
> >>>>>
> >>>>> regards,
> >>>>> -andy
> >>>>> _______________________________________________
> >>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>>>
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>>
> >>
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list