This article describes the issue of the st0 interfaces being up, even when the Physical Interface is down.
Environment:
- Route-Based VPN using st0 interfaces.
- Optimized VPN Monitoring must be configured.
- IKE must be set to the aggressive mode.
- Dynamic-to-Static Site-to-Site VPN Connection, in which only Clients can send connection requests out to establish the IPSec tunnel to the Servers. Servers don't have any knowledge of their prospective Clients.
- Dynamic host must be set locally on VPN Server, as a method of IKE ID authentication.
- Tunnels must be set to Establish Immediately
- SRX Junos OS 10.3R3.7, 10.4R1.9,10.4R9.2, 11.2R6.3, 11.4R1.6 and 11.4R2.14
Topology:
SRX-A========Internet===========Remote Client
Configuration:
SRX-A
ike {
proposal stand {
authentication-method pre-shared-keys;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy ike-policy-repro {
mode aggressive;
proposals stand;
pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
}
gateway ike-gw-repro {
ike-policy ike-policy-repro;
dynamic hostname host1.example.com;
no-nat-traversal;
external-interface ge-0/0/2;
}
}
ipsec {
vpn-monitor-options {
interval 10;
threshold 8;
}
proposal stand {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 180;
}
policy stand {
perfect-forward-secrecy {
keys group2;
}
proposals stand;
}
vpn ipsec-vpn-repro {
bind-interface st0.1;
vpn-monitor {
optimized;
source-interface ge-0/0/2;
destination-ip 1.1.1.1;
}
ike {
gateway ike-gw-repro;
ipsec-policy stand;
}
}
}
The issue is that the physical interface is down, but
st0.X is still shown as
Up. The concern is that if the tunnel is down (i.e. no IKE or IPsec), why are the
st0.X interfaces showing as
Up?
In addition, a reboot does not fix the issue.