Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to bring up a Site to Site VPN with multiple IP addresses

0

0

Article ID: KB28037 KB Last Updated: 18 Nov 2013Version: 1.0
Summary:

This article describes how to bring up a site to site VPN which has multiple IP addresses on the external interface on one of the peers. The solution is to use not only local and remote identities, but also to define the primary preferred address.

Symptoms:

Topology:


SRX1(ge-0/0/1.0)---------WAN Connectivity--------------(ge-0/0/0.0)SRX2.

As the site to site VPN is established between the SRX devices, the VPN does not come up because there are multiple IP addresses on one of the external interfaces. The  peer address as configured in the peer device will try to negotiate with one of the IP addresses from the many IP addresses configured at the peer side, which would result in the tunnel not coming up.

Eg: Assume ge-0/0/0.0 has the IP address 2.2.2.2/24, and ge-0/0/1.0 has the IP addresses 4.4.4.4/24, 4.4.4.5/24, 4.4.4.6/24.

At SRX2 the peer address within the IKE gateway is 4.4.4.4. Thus when Phase 1 negotiation occurs, it arbitrarily takes 4.4.4.5 as the peer IP address rather than the address which is mentioned, 4.4.4.4. Thus, it gives a proposal mismatch error.

Cause:

This issue occurs because one of the peers has multiple addresses, and the tunnel negotiation does not know which IP address to negotiate with even though the peer address is mentioned in the gateway.

Solution:

The solution is to use not only local and remote identities, but also to define the primary preferred address as shown below:


root@210-5# show interfaces ge-0/0/1.0
family inet {
address 2.2.2.1/24;
address 4.4.4.4/24 {
primary;
preferred;
}
address 4.4.4.5/24;
address 4.4.4.6/24;
}


[edit security ike gateway g1]
root@210-5# show

ike-policy p1;
address 2.2.2.2;
local-identity inet 4.4.4.4;
remote-identity inet 2.2.2.2;

Thus along with local-identity and remote-identity, the primary preferred command would be required within the interface.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search