SRX Services Gateway
Posts: 1
Registered: ‎12-05-2011
Accepted Solution

Terminating VPN on loopback- Possible ?

I'm configuring  a srx-650 cluster off line to replace our aging egde equipment and want to terminate some site to site VPNs on a loopback. 


I need to know how the security -> ike -> gateway -> external-interface command really works. Can I set this to lo0.0  and let routing send the traffic to the current default route?.  


I have dual ISPs and am running BGP getting default route only .  I need the VPNs to go to the appropriate reth interface depending on which is the active ISP.  One has 10 X the bandwidth of the other so I do not want to load ballance. 


 Any help would be appreciated.

Distinguished Expert
Posts: 657
Registered: ‎07-20-2010

Re: Terminating VPN on loopback- Possible ?

A workaround for configuring a VPN, with the loopback IP as the gateway, is to configure the loopback interface and the external physical interface as part of the same security zone.


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Distinguished Expert
Posts: 979
Registered: ‎09-10-2009

Re: Terminating VPN on loopback- Possible ?

Yes, you can terminate VPNs on loopback interfaces.


The "external-interface" is used for Peer-ID in the IKE negotiation, it will send the IP of the "external-interface" as the local Peer ID.


Just make sure you have the host-inbound-traffic/system-services configured on the loopback to allow IKE, and probably ping, if you want to use DPD, though there's been some back-and-forth about how that actually works.  Also, if your loopback interface is in the same zone as the physical interface which traffic will be arriving/departing on, you'll need a intra-zone security policy to pass the traffic between the interfaces within the same zone.


If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.