I've configured five route-based site-to-site VPN tunnels on my SRX240 cluster (this is the first time I've configured VPNs on the SRX). I’ve ‘bound’ each VPN to an unnumbered st0 unit interface and associated a static route to each.
I've only had the opportunity to test one of the VPNs so far, however it looks as though the VPN only works when it’s initiated from the remote side. I believe the reason it won't initiate from the SRX is that the IP route to the remote side is not in the routing table, this is because the associated st0 unit interface is down.
When the VPN is up (initiated from the remote side) the st0 unit interface comes up, the IP routing is in the routing table and the VPN works as required.
nod@QHFW-01> show interfaces terse | match st0
st0 up up
st0.0 up down inet
st0.1 up down inet
st0.2 up up inet < vpn is active on this interface
st0.3 up down inet
st0.4 up down inet
{primary:node0}[edit security ike]
nod@QHFW-01# show
traceoptions {
file ike size 1m files 2 world-readable;
flag ike;
flag policy-manager;
flag routing-socket;
}
proposal P1-DES {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm des-cbc;
lifetime-seconds 28800;
}
proposal ike-proposal-3DES {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
proposal ike-proposal-3DES-DH2 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
proposal ike-proposal-3DES-MD5-DH1 {
authentication-method pre-shared-keys;
dh-group group1;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ike-policy-1 {
mode main;
proposals P1-DES;
pre-shared-key ascii-text
}
policy ike-policy-Ald {
mode main;
proposals ike-proposal-3DES;
pre-shared-key ascii-text
}
policy ike-policy-Steve {
mode main;
proposals P1-DES;
pre-shared-key ascii-text
}
policy ike-policy-GlobalRes {
mode main;
proposals ike-proposal-3DES-DH2;
pre-shared-key ascii-text
}
policy ike-policy-XN {
proposals ike-proposal-3DES-MD5-DH1;
pre-shared-key ascii-text
}
gateway Frog {
ike-policy ike-policy-1;
address 81.xx.xx.xx;
external-interface reth1.0;
}
gateway Ald {
ike-policy ike-policy-Ald;
address 212.xx.xx.xx;
external-interface reth1.0;
}
gateway Steve {
ike-policy ike-policy-Steve;
address 81.xx.xx.xx1;
external-interface reth1.0;
}
gateway GlobalRes {
ike-policy ike-policy-GlobalRes;
address 69.xx.xx.xx;
external-interface reth1.0;
}
gateway XN {
ike-policy ike-policy-XN;
address 195.xx.xx.xx;
external-interface reth1.0;
{primary:node0}[edit security ipsec]
nod@QHFW-01# show
proposal P2-DES {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm des-cbc;
}
proposal P2-3DES {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 28800;
}
policy ipsec-policy-1 {
proposals P2-DES;
}
policy ipsec-policy-2 {
proposals P2-3DES;
}
vpn Frog {
bind-interface st0.0;
ike {
gateway Frog;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
vpn Aldwalk {
bind-interface st0.1;
ike {
gateway Ald;
ipsec-policy ipsec-policy-2;
}
establish-tunnels immediately;
}
vpn Steve {
bind-interface st0.2;
ike {
gateway Steve;
ipsec-policy ipsec-policy-1;
}
establish-tunnels immediately;
}
vpn GlobalRes {
bind-interface st0.3;
ike {
gateway GlobalRes;
ipsec-policy ipsec-policy-2;
}
establish-tunnels immediately;
}
vpn XN {
bind-interface st0.4;
ike {
gateway XN;
ipsec-policy ipsec-policy-2;
}
establish-tunnels immediately;
{primary:node0}[edit interfaces st0]
nod@QHFW-01# show
description "Secure Tunnel Interfaces";
unit 0 {
description "Secure Tunnel Interface - Frog";
family inet;
}
unit 1 {
description "Secure Tunnel Interface - Ald";
family inet;
}
unit 2 {
description "Secure Tunnel Interface - Steve";
family inet;
}
unit 3 {
description "Secure Tunnel Interface - Global Res";
family inet;
}
unit 4 {
description "Secure Tunnel Interface - XN";
family inet;
}
nod@QHFW-01> show version
node0:
--------------------------------------------------------------------------
Hostname: QHFW-01
Model: srx240h
JUNOS Software Release [10.4R2.7]
node1:
--------------------------------------------------------------------------
Hostname: QHFW-02
Model: srx240h
JUNOS Software Release [10.4R2.7]