Hello.
I'm trying to archive Ipsec STS failover using DPD.
there is three vSRX (12.1X47-D20.7) in my test lab.
1. top router (routing between two routers)
Interfaces
set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.254/24
2. first IPSec router with RPM probe and ip-monitoing
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 preferred
set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.254.1.1/24
set interfaces st0 unit 1 description "IPsec to SRX2"
set interfaces st0 unit 1 family inet address 10.10.0.1/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.254
set routing-options static route 10.254.2.0/24 next-hop st0.1
set security ike policy ike_pol_STS_to_SRX2 mode aggressive
set security ike policy ike_pol_STS_to_SRX2 proposal-set compatible
set security ike policy ike_pol_STS_to_SRX2 pre-shared-key ascii-text ""
set security ike gateway gw_STS_to_SRX2 ike-policy ike_pol_STS_to_SRX2
set security ike gateway gw_STS_to_SRX2 address 192.168.10.1
set security ike gateway gw_STS_to_SRX2 external-interface ge-0/0/1.0
set security ipsec policy ipsec_pol_STS_to_SRX2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_STS_to_SRX2 proposal-set compatible
set security ipsec vpn STS_to_SRX2 bind-interface st0.1
set security ipsec vpn STS_to_SRX2 ike gateway gw_STS_to_SRX2
set security ipsec vpn STS_to_SRX2 ike ipsec-policy ipsec_pol_STS_to_SRX2
set security ipsec vpn STS_to_SRX2 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match source-address addr_10_254_1_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match destination-address addr_10_254_2_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 match application any
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX2 then permit
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_2_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_1_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_10_254_1_0_24 10.254.1.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone STS_Zone address-book address addr_10_254_2_0_24 10.254.2.0/24
set security zones security-zone STS_Zone interfaces st0.1
set services rpm probe DG_1_254 test PING_1_DG target address 192.168.1.254
set services rpm probe DG_1_254 test PING_1_DG probe-count 10
set services rpm probe DG_1_254 test PING_1_DG probe-interval 5
set services rpm probe DG_1_254 test PING_1_DG test-interval 5
set services rpm probe DG_1_254 test PING_1_DG thresholds successive-loss 5
set services ip-monitoring policy GW_failover match rpm-probe DG_1_254
set services ip-monitoring policy GW_failover then preferred-route route 0.0.0.0/0 next-hop 192.168.2.254
2. second IPsec router with DPD
set interfaces ge-0/0/1 unit 0 family inet address 192.168.10.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.254.2.1/24
set interfaces st0 unit 1 description "IPsec to SRX1"
set interfaces st0 unit 1 family inet address 10.10.0.2/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.254
set routing-options static route 10.254.1.0/24 next-hop st0.1
set security ike policy ike_pol_STS_to_SRX1 mode aggressive
set security ike policy ike_pol_STS_to_SRX1 proposal-set compatible
set security ike policy ike_pol_STS_to_SRX1 pre-shared-key ascii-text ""
set security ike gateway gw_STS_to_SRX1 ike-policy ike_pol_STS_to_SRX1
set security ike gateway gw_STS_to_SRX1 address 192.168.1.1
set security ike gateway gw_STS_to_SRX1 address 192.168.2.1
set security ike gateway gw_STS_to_SRX1 dead-peer-detection always-send
set security ike gateway gw_STS_to_SRX1 dead-peer-detection interval 10
set security ike gateway gw_STS_to_SRX1 external-interface ge-0/0/1.0
set security ipsec policy ipsec_pol_STS_to_SRX1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_STS_to_SRX1 proposal-set compatible
set security ipsec vpn STS_to_SRX1 bind-interface st0.1
set security ipsec vpn STS_to_SRX1 ike gateway gw_STS_to_SRX1
set security ipsec vpn STS_to_SRX1 ike ipsec-policy ipsec_pol_STS_to_SRX1
set security ipsec vpn STS_to_SRX1 establish-tunnels immediately
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match source-address addr_10_254_2_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match destination-address addr_10_254_1_0_24
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 match application any
set security policies from-zone trust to-zone STS_Zone policy policy_out_STS_to_SRX1 then permit
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match source-address addr_10_254_1_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match destination-address addr_10_254_2_0_24
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 match application any
set security policies from-zone STS_Zone to-zone trust policy policy_in_STS_to_SRX2 then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_10_254_2_0_24 10.254.2.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone STS_Zone address-book address addr_10_254_1_0_24 10.254.1.0/24
set security zones security-zone STS_Zone interfaces st0.1
while 192.168.1.254 (top router) is available IPsec is working fine.
but when I'm emulating failover by deleting 192.168.1.254 IP address
delete interfaces ge-0/0/2 unit 0 family inet address 192.168.1.254/24
IPsec tunnel goes dwn and never came up.
ip-monitoring and route change is working at the first SRX.
root@SRX1> show services ip-monitoring status
Policy - GW_failover (Status: FAIL)
RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
DG_1_254 PING_1_DG 192.168.1.254 FAIL
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
inet.0 0.0.0.0/0 192.168.2.254 APPLIED
it can ping 192.168.10.1 (the second SRX) and the second SRX can ping 192.168.2.1 (the first SRX), but tunnel is down.
root@SRX2> show security ipsec security-associations
Total active tunnels: 0
root@SRX2> show security ike security-associations
root@SRX2> show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Nego# Fail# Flag Gateway Tunnel Down Reason
131073 500 2 0 600a29 192.168.2.1 DPD failover
root@SRX2>
after reenabling 192.168.1.254 at the top router, SRX1 ip-monitoring switch back route
root@SRX1> show services ip-monitoring status
Policy - GW_failover (Status: PASS)
RPM Probes:
Probe name Test Name Address Status
---------------------- --------------- ---------------- ---------
DG_1_254 PING_1_DG 192.168.1.254 PASS
Route-Action:
route-instance route next-hop state
----------------- ----------------- ---------------- -------------
inet.0 0.0.0.0/0 192.168.2.254 NOT-APPLIED
but IPsec tunnel is still down.
what is wrong with this config?