Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] How to determine if the IPsec IKE Gateway is configured for the correct outgoing interface

0

0

Article ID: KB10121 KB Last Updated: 25 Feb 2020Version: 6.0
Summary:

This article explains how to verify if the VPN egress-interface configured matches the expected outgoing interface.

Solution:

To ensure that the outgoing VPN interface configured in phase 1 matches, perform the following steps:

 

Step 1. Locate the current configured IKE external-interface.

CLI:

root@CORPORATE# show security ike
policy ike_pol {
    mode main;
    proposal-set compatible;
    pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway gw_srx1 {
    ike-policy ike_pol;
    address 2.2.2.2;
    external-interface ge-0/0/0;
}
JWEB:
  • Go to Configure > IPSec VPN > Auto Tunnel> Phase I.
  • Review External Interface column for Gateway in question.
 
 

Step 2. Locate the expected egress interface based on route to peer gateway.

CLI:
root@CORPORATE> show route 2.2.2.2

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2.2.2.2/32         *[Static/5] 00:01:11
                    > to 1.1.1.1 via ge-0/0/8.0
JWEB:
  • Goto Monitor > Routing > Routing Information
  • Enter Peer Gateway address into Destination Address
  • Click on Search button
  • Verify Next-Hop column for egress-interface

 
 

Step 3. Do the interfaces found in Step 1 and Step 2 match? 

  • Yes -  No changes are necessary.

  • No, VPN external-inteface in Step 1 is using a loopback interface - No changes are necessary.

     

  • No - Edit the IKE gateway external-interface to reflect the egress interface towards peer found in Step 2.
CLI:
    root@CORPORATE# set security ike gateway gw_srx1 external-interface ge-0/0/8
       root@CORPORATE# commit

JWEB:
  • Go to Configure > IPSec VPN > Auto Tunnel> Phase I
  • Click on gateway in question then cliek on Edit
  • Select interface from drop-down menu under External Interface
  • Click OK 
  • Cilck Commit Options then Commit
Modification History:
2020-02-25: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search