Terminating VPN on loopback- Possible ?

jseymour · ‎12-05-2011

I'm configuring a srx-650 cluster off line to replace our aging egde equipment and want to terminate some site to site VPNs on a loopback.

I need to know how the security -> ike -> gateway -> external-interface command really works. Can I set this to lo0.0 and let routing send the traffic to the current default route?.

I have dual ISPs and am running BGP getting default route only . I need the VPNs to go to the appropriate reth interface depending on which is the active ISP. One has 10 X the bandwidth of the other so I do not want to load ballance.

Any help would be appreciated.

MMcD · ‎07-20-2010

A workaround for configuring a VPN, with the loopback IP as the gateway, is to configure the loopback interface and the external physical interface as part of the same security zone.

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]

keithr · ‎09-10-2009

Yes, you can terminate VPNs on loopback interfaces.

The "external-interface" is used for Peer-ID in the IKE negotiation, it will send the IP of the "external-interface" as the local Peer ID.

Just make sure you have the host-inbound-traffic/system-services configured on the loopback to allow IKE, and probably ping, if you want to use DPD, though there's been some back-and-forth about how that actually works. Also, if your loopback interface is in the same zone as the physical interface which traffic will be arriving/departing on, you'll need a intra-zone security policy to pass the traffic between the interfaces within the same zone.

-kr

---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.

Terminating VPN on loopback- Possible ?

Re: Terminating VPN on loopback- Possible ?

Re: Terminating VPN on loopback- Possible ?