SRX

Hi All,

   Is it possible to have multiple phase 2 tunnels running over the same phase 1?  My case is that i have two firewalls with multiple VR's and I would like to created a route based VPN between all the VR's.  The two firewalls are connected to each other via one public IP on each side so I would essentially ahve one phase 1 setup with mulitple ST0 interfaces terminating in different VR's

As you can see below I tried to make one ike gateway then have two vpn's reference it.  It seems to work for a few minutes then only one of them remains up and the other goes down.

ike {
    policy ike-policy1 {
        mode main;
        proposal-set standard;
        pre-shared-key ascii-text "$9$BSg1hreK8db27-DkmPn6IEclWx"; ## SECRET-DATA
    }
    gateway ike-gate {
        ike-policy ike-policy1;
        address 5.5.5.2;
        external-interface fe-0/0/0;
    }
}
ipsec {
    traceoptions {
        flag security-associations;
    }
    policy vpn-policy1 {
        proposal-set standard;
    }
    vpn ike-vpn {
        bind-interface st0.0;
        ike {
            gateway ike-gate;
            ipsec-policy vpn-policy1;
        }
        establish-tunnels immediately;
    }
    vpn CustomerA {
        bind-interface st0.100;
        ike {
            gateway ike-gate;
            ipsec-policy vpn-policy1;
        }
        establish-tunnels immediately;
    }
}

Hi

I've never tried something similar, but following the analogy with policy-based
VPN, I would suggest to assign every vpn (phase 2) its own proxy-ids. For example

set security ipsec vpn ike-vpn ike proxy-identity local 1.1.1.1/32 remote 1.1.1.1/32 service any
set security ipsec vpn CustomerA ike proxy-identity local 2.2.2.2/32 remote 2.2.2.2/32 service any

Same on the other SRX, of course. Probarbly this will enhance the stability
of your setup (but no guarantee, just a guess).

That seems to have worked.  Thanks!