SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX IKE Responder

    Posted 01-06-2016 02:36

    Dears,

     

    We are using SRX as LTE Security Gateway that will be used to terminate IPSEC tunnel of some thousands of eNodeB , we want the IPSEC GW to be always IKE responder so we can have the most useful logs availeble on our side , we tried to keep persistent tunnel on eNodeB side and on-demand tunnel on SRX side but we still have the below status , SRX is responder for some eNodeB and initiator for other : 

     

    # run show security ike security-associations detail | match "peer|Role"
    IKE peer X.X.X.X, Index 75179403, Gateway Name: 1220
    Role: Initiator, State: UP
    IKE peer X.X.X.X, Index 75179404, Gateway Name: 1228
    Role: Responder, State: UP

    Any suggestion

    Kayssar



  • 2.  RE: SRX IKE Responder

     
    Posted 01-06-2016 18:58

    Hello ,

     

    If the SRX is configured with "establish-tunnel immediately "   in IPSEC VPN configuration , then it will try to initiate .  So kindly remove all the "establish-tunnel immediately "   or ""establish-tunnel " statetment from all IPSEC configuration on SRX so that it will act as responder in all cases .



  • 3.  RE: SRX IKE Responder

    Posted 01-07-2016 02:33

    Hi , 

     

     as you can see "establish-tunnels immediately" is not configured , however SRX is responder on some tunnel and initiator on the others 

     

    # show security ipsec | display set | display inheritance | match establish-tunnels

    {primary:node0}[edit]

     

    Br.

    Kayssar



  • 4.  RE: SRX IKE Responder
    Best Answer

    Posted 01-07-2016 03:40

    Unfortunately, Junos does not have a responder only command.

     

    If the SRX has traffic that matches the tunnel requirements and the tunnel is not currently active it will automatically become the initiator.

     

    the only way to prevent this is to stop generating the traffic from the office to the remote side if there is not contact from the remote first.

     

    You might be able to do this by using black hole routing on a route based VPN.  If you have a black hole route for the remote side traffic that is only active when the tunnel is down and the route to the route based tunnel is no longer in the table.  Then the traffic destined to the tunnel will be black holed and not create a tunnel initiation until the remote side brings up the tunnel.



  • 5.  RE: SRX IKE Responder

     
    Posted 08-30-2016 07:16

    Hi there,

     

    Please share me your personal email. I am working on a similar project and would like to know your challanges etc.