SRX Services Gateway
Reply
Visitor
jseymour
Posts: 1
Registered: ‎12-05-2011
0
Accepted Solution

Terminating VPN on loopback- Possible ?

I'm configuring  a srx-650 cluster off line to replace our aging egde equipment and want to terminate some site to site VPNs on a loopback. 

 

I need to know how the security -> ike -> gateway -> external-interface command really works. Can I set this to lo0.0  and let routing send the traffic to the current default route?.  

 

I have dual ISPs and am running BGP getting default route only .  I need the VPNs to go to the appropriate reth interface depending on which is the active ISP.  One has 10 X the bandwidth of the other so I do not want to load ballance. 

 

 Any help would be appreciated.

Distinguished Expert
MMcD
Posts: 623
Registered: ‎07-20-2010
0

Re: Terminating VPN on loopback- Possible ?

A workaround for configuring a VPN, with the loopback IP as the gateway, is to configure the loopback interface and the external physical interface as part of the same security zone.

MMcD [JNCIP-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Terminating VPN on loopback- Possible ?

Yes, you can terminate VPNs on loopback interfaces.

 

The "external-interface" is used for Peer-ID in the IKE negotiation, it will send the IP of the "external-interface" as the local Peer ID.

 

Just make sure you have the host-inbound-traffic/system-services configured on the loopback to allow IKE, and probably ping, if you want to use DPD, though there's been some back-and-forth about how that actually works.  Also, if your loopback interface is in the same zone as the physical interface which traffic will be arriving/departing on, you'll need a intra-zone security policy to pass the traffic between the interfaces within the same zone.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.