SRX Services Gateway
Reply
Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

route based VPN questions?

Hi folks,

 

1- How can I forcefully let the Phase 1 down If the Phase 2 is already down?

 

2- What is the relationship between st0.x interface and Phase 1?

 

3- What is the relationship between st0.x interface and phase 2?

 

waiting for urgent response?

 

regards,

 

 

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Contributor
SvenH
Posts: 34
Registered: ‎02-19-2009
0

Re: route based VPN questions?

Hi,

 

I think you can forcefully remove all security associations using "clear security ike security-associations" in operational mode.

 

In regards to #2 and #3, they do not really have much to do with phase 1 or phase 2.

 

Phase 1 is usually the preshared key exchange where the two endpoints talk to one another and present each other with the type of key exchange that is going to take place.  They authenticate, and then enter phase 2, which is where the secure connection is created that you can then use via the st.x interfaces.

 

Since this is a "virtual" connection and you need to use an interface to route across you do this using the st.x interfaces.

 

If you ae familiar with Screenos, it is the same as a tun.x interface on screenos.

 

HTH

Contributor
fahad.khan@gmail.com
Posts: 10
Registered: ‎06-18-2009
0

Re: route based VPN questions?

I have worked with both screenOS and Junos-es.

 

I do know we can clear IKE but I wanted to know how can this be automatically done??In some cases, phase 2 is down, but phase 1 is up and my st0.x interface is up, hence route does not get flushed. Hence in case of redundant tunnels, traffic does not take route for secondary tunnel.

 

But what I have seen by configuring VPN monitor with "establish tunnel immediately" I am able to do so.

 

Another question is , do the "establish tunnel immediately" in SRX and "rekey" play the same role?

 

regards,

Super Contributor
colemtb
Posts: 311
Registered: ‎09-30-2009
0

Re: route based VPN questions?

[ Edited ]

To clear ike "automagically" you can use deep-peer-detection uner the ike gatweay stanza.

 

establish tunnel immediatly should not be under vpn-monitor, just under the vpn.

 

To clear IPSEC automatically, use destination-ip under your vpn-monitor.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.