03-16-2011 10:51 AM
I'm trying to test IPsec scalability on the SRX210 and I'm having some problems getting the desired traffic to go across the ipsec vpn tunnel.
I currently have an SRX210 connected to two IXIA ports. The IxVPN application has correclty setup the emulated gateways and protected hosts, etc.
All the tunnels I configure are coming up fine. I see the correct number of ike and ipsec tunnels in the show security ike security-associations and show security ipsec security-associations outputs.
When the IXIA sends encrypted packets to the SRX210 it properly decrypts and forwards the packets as expected. However, when the IXIA sends traffic in the other direction, the SRX210 is not encrypting the traffic (so not putting into the secure tunnel).
I have a static route configured to point this traffic to st0.0, but the route for some reason is not active. Yet the st0.0 interface is showing UP UP.
Does anyone know why this route won't become active? I have this working just fine between two other Juniper routers, so not sure why the SRX isn't properly sending traffic through the st0.0 interface as expected.
Anyone have any ideas or has anyone had exprience getting IPsec traffic to work both ways on an SRX210 when testing with IxVPN?
03-16-2011 11:12 AM
I haven't worked with the IXIA products, however if you could post your SRX config we can take a look at make sure nothing is missing or seems to be configured incorrectly.
Off the top of my head, have you made sure the st0.0 interface is bound to the correct VPN?
03-16-2011 11:20 AM
Sure. Here is the configuration I'm using on the SRX210:
The Ixia private port is connected to ge-0/0/0 and the Ixia public port is connected to ge-0/0/1.
03-16-2011 02:54 PM
Just to let you all know. I got this working by creating individual units on the st0 interface and setting static routes accordingly. From what I have read it looks like to use multipoint you have to configure next-hop tunnels, which I did not want to do in this case. Now I'm seeing traffic going through the tunnels as expected.
The configuration change I made is below:
03-16-2011 05:25 PM
Yeah, you figured it out. Multipoint route-based VPNs use Next Hop Tunnel Binding, which can be done automatically between Juniper devices, or manually by configuring the next-hop bindings. It's only a couple commands to do it, so it's really not that much extra work.
I'm actually surprised you got all those tunnels to work as unnumbered st0 interfaces sharing a single physical egress interface. I've never tried to do more than 1 shared tunnel as unnumbered interfaces. Interesting.
A quick note -- in the future it would be good if you use the "Insert Code" button to paste config snippets, and for really long configurations or snippets, attach them as a file to the post. It makes reading through stuff much, much easier.
Glad you got it working. I'd be interested to know how your load testing turns out, please report back your findings!
09-24-2011 09:07 AM
similar situation, but going to cisco where same host needs to reach multiple host on my network so my proxy identity pairs all have same remote, therefore making my routes the same so instead of
126.96.36.199 to st0.1
188.8.131.52 to st0.2 etc
i really need to go
184.108.40.206 to st0.1
220.127.116.11 to st0.2, but need to differentiate by source address, i guess i am going to have to use policy vpn. hope i can still do outbound nat.