SRX

Hi there,

I am trying to create a solution where interesting traffic can traverse two IPsec tunnels between the same two firewalls, please see topology attached:

The issue i am having is only one of the vpn's is working and the other is down:

show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
4781957 UP     f18ee9deae57e28f  cf6828432f53694f  IKEv2          85.1.1.1
4782025 DOWN   dbba261f6ed738c4  0000000000000000  IKEv2          86.1.1.1

including the tunnel interface which is in a up down state.

I want both VPN tunnels up at the same time and interesting traffic able too use both tunnels st0.1 and st0.2. They key requirement for me is to use one physical external interface for both VPN's on each side.

Can anyone assist me on a solution for getting both VPN tunnels to be running at the same time. I currently have full connectivity using st0.1

Eventually, I will use ECMP over the two VPN's but firstly need to get the second up.

Any help would be appreciated. Please ask if further detail is needed.

Attachment(s)

Site-2-config.txt   7 KB 1 version

Site-1-config.txt   7 KB 1 version

Any advice on why the second VPN is not coming up would be appreciated.

Hello,

Please see if this forum post from 2011 helps

https://forums.juniper.net/t5/SRX-Services-Gateway/Cannot-get-multiple-IPsec-tunnels-working-on-SRX/m-p/109680/highlight/true#M13768

HTH

Thx

Alex

Resolved this in the end, proxy-identities can be used to uniquely identify each IPsec tunnel, as long as this is different for each ipsec tunnel they will come up.