SRX Services Gateway
Reply
Trusted Contributor
ttl_expired
Posts: 429
Registered: ‎11-11-2008
0
Accepted Solution

Two route based vpn's over the same phase 1

Hi All,

 

   Is it possible to have multiple phase 2 tunnels running over the same phase 1?  My case is that i have two firewalls with multiple VR's and I would like to created a route based VPN between all the VR's.  The two firewalls are connected to each other via one public IP on each side so I would essentially ahve one phase 1 setup with mulitple ST0 interfaces terminating in different VR's

 

As you can see below I tried to make one ike gateway then have two vpn's reference it.  It seems to work for a few minutes then only one of them remains up and the other goes down.

 

ike {
    policy ike-policy1 {
        mode main;
        proposal-set standard;
        pre-shared-key ascii-text "$9$BSg1hreK8db27-DkmPn6IEclWx"; ## SECRET-DATA
    }
    gateway ike-gate {
        ike-policy ike-policy1;
        address 5.5.5.2;
        external-interface fe-0/0/0;
    }
}
ipsec {
    traceoptions {
        flag security-associations;
    }
    policy vpn-policy1 {
        proposal-set standard;
    }
    vpn ike-vpn {
        bind-interface st0.0;
        ike {
            gateway ike-gate;
            ipsec-policy vpn-policy1;
        }
        establish-tunnels immediately;
    }
    vpn CustomerA {
        bind-interface st0.100;
        ike {
            gateway ike-gate;
            ipsec-policy vpn-policy1;
        }
        establish-tunnels immediately;
    }
}

 

Distinguished Expert
Distinguished Expert
pk
Posts: 793
Registered: ‎10-09-2008
0

Re: Two route based vpn's over the same phase 1

Hi

I've never tried something similar, but following the analogy with policy-based
VPN, I would suggest to assign every vpn (phase 2) its own proxy-ids. For example

set security ipsec vpn ike-vpn ike proxy-identity local 1.1.1.1/32 remote 1.1.1.1/32 service any
set security ipsec vpn CustomerA ike proxy-identity local 2.2.2.2/32 remote 2.2.2.2/32 service any

Same on the other SRX, of course. Probarbly this will enhance the stability
of your setup (but no guarantee, just a guess).

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Trusted Contributor
ttl_expired
Posts: 429
Registered: ‎11-11-2008
0

Re: Two route based vpn's over the same phase 1

That seems to have worked.  Thanks!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.