Junos OS

last person joined: 5 hours ago 

Ask questions and share experiences about Junos OS.

  • 1.  Multiple loopback IPs for vpn termination

    Posted 05-14-2016 03:29

    Hi,

     

    I create a loopback interface on juniper chassis cluster firewall for VPN termination.

    I assigned 3 IPs for it.

    When create a vpn tunnel not all IPs are working and not able to bring tunnel UP with IPs . Only two are working

     

    Any idea?



  • 2.  RE: Multiple loopback IPs for vpn termination
    Best Answer

     
    Posted 05-14-2016 04:27

    Hello Farage,

     

    Ideally even though you configure multiple IPs under single logical unit of loopback, only one of the IPs will be used as source IP for any outgoing VPN packet.

     

    You can try to configure local-address under the gateway configuration for various peers but not sure whether it will work or not.

     

    Another way is to create multiple routing-instances & put loopback0.x in routing instance x, loopback0.y in routing instance y & form VPN with multiple peers.

     

    Regards,

     

    Rushi



  • 3.  RE: Multiple loopback IPs for vpn termination

    Posted 05-15-2016 01:48

    Hi,

     

    Actually, I configured 3 IPs for one loopback and only two are working.

    Note that in SRX juniper I cannot create multiple Loopback interfaces, only one loopback with multiple IPs.

     

    However if I want to create another routing-instance I fear that this will affect the cluster in place.

    I am not sure this advisable.

     

    Thanks for your help



  • 4.  RE: Multiple loopback IPs for vpn termination

    Posted 05-15-2016 03:09

    Hi farage,

     

    When you say that one of the ip configured on same lo0 interface doesn't work , what does that mean.

     

    # is it not reachable from other devices.

    # The VPN doesn't work which is terminated on the lo0 and has third ip in ike config.

     

    As rtilak has mentioned , please configure local address in the gateway config to use the correct ip out of the three for the ike negotiation. Moreover check if the ike udp 500 packets are received on the egress interface destined to correct loopback ip from the remote ip, and SRX is also sending the correct ip.

     

    The other option to create a VR should not have any issues if anothr lo0 is a part of that VR and routes are properly populated in the VR table .

     

    Regards

    Hemant



  • 5.  RE: Multiple loopback IPs for vpn termination

    Posted 05-16-2016 02:21

    To be more clear, the below configuration is already implemented.

    currently I have two vpn tunnel terminated on x.y.z.113/32 and x.y.z.114/32.

    However, I failed to create a vpn Tunnel on the  x.y.z.115/32.

    If I changed the ike gateway IP of the running vpn i.e. from x.y.z.113/32 to x.y.z.115/32 the tunnel goes down.

     

     

    lo0 {
    unit 1 {
    family inet {
    address x.y.z.113/32;
    address x.y.z.114/32;
    address x.y.z.115/32;
    }
    }
    redundant-pseudo-interface-options {
    redundancy-group 1;
    }

     

     

    Regards,



  • 6.  RE: Multiple loopback IPs for vpn termination

     
    Posted 05-16-2016 02:32

    Hello Farage,

     

    Can you paste the output of 'show security ike' command (configuration mode) highlighting the relevent gateway configuration for 3 VPN peers?

     

    Regards,

     

    Rushi



  • 7.  RE: Multiple loopback IPs for vpn termination

    Posted 05-16-2016 05:30

    Thank you all for your help.

     

    While reviewing the configuration I noticed that the loca-identity Ip and local-address are different.

    I configured the correct IP on the local-address (hidden command) and it works like a Charm

     

    Regards,

    Tarek