SRX Services Gateway
SRX Services Gateway

IPSEC termination on loopback interface or physical interface on SRX3600?

05.02.12   |  
‎05-02-2012 01:56 PM

Hi Experts

 

I heard that on higher end SRX 3000/5000, IPSEC termination on loopback interface or physical interface  is not supported. Is that true?

 

Thanks

5 REPLIES
SRX Services Gateway

Re: IPSEC termination on loopback interface or physical interface on SRX3600?

05.02.12   |  
‎05-02-2012 05:00 PM
Yes,it's true. KB19829 confirms the same . http://kb.juniper.net/kb19829
Regards,
Pradeep JNCIE-SEC
SRX Services Gateway

Re: IPSEC termination on loopback interface or physical interface on SRX3600?

05.02.12   |  
‎05-02-2012 11:18 PM

Hi Aeroplane,

 

Just to clarify, for HE platform, IPSec VPN termination on loopback is not supported no matter it is in chassis cluster.

Physical interface can be used to terminate IPSec VPN if it is on in chassis cluster.

If the box is in chassis cluster, only reth can be used to terminate IPsec VPN.

 

Cheers,

 

Tim.

SRX Services Gateway

Re: IPSEC termination on loopback interface or physical interface on SRX3600?

05.02.12   |  
‎05-02-2012 11:18 PM

Hi,

 

check this post it might be helpful for you

 

http://forums.juniper.net/t5/SRX-Services-Gateway/Issues-terminating-VPN-to-lo0-0-on-SRX3400-cluster...

 

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: IPSEC termination on loopback interface or physical interface on SRX3600?

05.03.12   |  
‎05-03-2012 03:01 AM

Thanks guys. Could you please provide this to me as well:

 

1- IPSEC termination on non-reth interfaces (physical, loopback) for branch SRX in chassis cluster mode

2- IPSEC termination on non-reth interfaces (physical, loopback) for HE SRX in chassis cluster mode

3- IPSEC termination on loopback interface for HE SRX standalone

 

Thanks

SRX Services Gateway

Re: IPSEC termination on loopback interface or physical interface on SRX3600?

07.27.12   |  
‎07-27-2012 11:47 AM

tleung is correct, it doesn't matter if the HE SRX is in a cluster or not. Phase 2 will not come up if you're using loopback interfaces.

 

I hope KB19829 is updated to relfect this soon.