12-05-2011 07:59 AM
I'm configuring a srx-650 cluster off line to replace our aging egde equipment and want to terminate some site to site VPNs on a loopback.
I need to know how the security -> ike -> gateway -> external-interface command really works. Can I set this to lo0.0 and let routing send the traffic to the current default route?.
I have dual ISPs and am running BGP getting default route only . I need the VPNs to go to the appropriate reth interface depending on which is the active ISP. One has 10 X the bandwidth of the other so I do not want to load ballance.
Any help would be appreciated.
Solved! Go to Solution.
12-05-2011 08:12 AM
A workaround for configuring a VPN, with the loopback IP as the gateway, is to configure the loopback interface and the external physical interface as part of the same security zone.
12-05-2011 11:39 AM
Yes, you can terminate VPNs on loopback interfaces.
The "external-interface" is used for Peer-ID in the IKE negotiation, it will send the IP of the "external-interface" as the local Peer ID.
Just make sure you have the host-inbound-traffic/system-services configured on the loopback to allow IKE, and probably ping, if you want to use DPD, though there's been some back-and-forth about how that actually works. Also, if your loopback interface is in the same zone as the physical interface which traffic will be arriving/departing on, you'll need a intra-zone security policy to pass the traffic between the interfaces within the same zone.