SRX Services Gateway
SRX Services Gateway

Terminating VPN on loopback- Possible ?

12.05.11   |  
‎12-05-2011 07:59 AM

I'm configuring  a srx-650 cluster off line to replace our aging egde equipment and want to terminate some site to site VPNs on a loopback. 


I need to know how the security -> ike -> gateway -> external-interface command really works. Can I set this to lo0.0  and let routing send the traffic to the current default route?.  


I have dual ISPs and am running BGP getting default route only .  I need the VPNs to go to the appropriate reth interface depending on which is the active ISP.  One has 10 X the bandwidth of the other so I do not want to load ballance. 


 Any help would be appreciated.

SRX Services Gateway

Re: Terminating VPN on loopback- Possible ?

12.05.11   |  
‎12-05-2011 08:12 AM

A workaround for configuring a VPN, with the loopback IP as the gateway, is to configure the loopback interface and the external physical interface as part of the same security zone.


[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Terminating VPN on loopback- Possible ?

12.05.11   |  
‎12-05-2011 11:39 AM

Yes, you can terminate VPNs on loopback interfaces.


The "external-interface" is used for Peer-ID in the IKE negotiation, it will send the IP of the "external-interface" as the local Peer ID.


Just make sure you have the host-inbound-traffic/system-services configured on the loopback to allow IKE, and probably ping, if you want to use DPD, though there's been some back-and-forth about how that actually works.  Also, if your loopback interface is in the same zone as the physical interface which traffic will be arriving/departing on, you'll need a intra-zone security policy to pass the traffic between the interfaces within the same zone.


If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.