12-03-2010 04:35 AM
1- How can I forcefully let the Phase 1 down If the Phase 2 is already down?
2- What is the relationship between st0.x interface and Phase 1?
3- What is the relationship between st0.x interface and phase 2?
waiting for urgent response?
12-03-2010 05:10 AM
I think you can forcefully remove all security associations using "clear security ike security-associations" in operational mode.
In regards to #2 and #3, they do not really have much to do with phase 1 or phase 2.
Phase 1 is usually the preshared key exchange where the two endpoints talk to one another and present each other with the type of key exchange that is going to take place. They authenticate, and then enter phase 2, which is where the secure connection is created that you can then use via the st.x interfaces.
Since this is a "virtual" connection and you need to use an interface to route across you do this using the st.x interfaces.
If you ae familiar with Screenos, it is the same as a tun.x interface on screenos.
12-03-2010 07:19 AM
I have worked with both screenOS and Junos-es.
I do know we can clear IKE but I wanted to know how can this be automatically done??In some cases, phase 2 is down, but phase 1 is up and my st0.x interface is up, hence route does not get flushed. Hence in case of redundant tunnels, traffic does not take route for secondary tunnel.
But what I have seen by configuring VPN monitor with "establish tunnel immediately" I am able to do so.
Another question is , do the "establish tunnel immediately" in SRX and "rekey" play the same role?
12-03-2010 07:36 AM - edited 12-03-2010 07:36 AM
To clear ike "automagically" you can use deep-peer-detection uner the ike gatweay stanza.
establish tunnel immediatly should not be under vpn-monitor, just under the vpn.
To clear IPSEC automatically, use destination-ip under your vpn-monitor.