Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring site to site VPN redundancy with multiple addresses in the gateway

0

0

Article ID: KB29211 KB Last Updated: 25 Jun 2014Version: 1.0
Summary:

This article explains how redundancy in site-to-site VPN can be achieved using multiple address in gateway and dead-peer-detection.

Symptoms:

How to use different modes of dead-peer-detection for VPN failover .

Cause:

Solution:

The gateway for VPN redundancy can be configured with the following commands :

set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set security ike policy p1 mode main
set security ike policy p1 proposal-set standard
set security ike policy p1 pre-shared-key ascii-text "$9$21oZjmfzCtOHqtO1RlegoJ"
set security ike gateway g1 ike-policy p1
set security ike gateway g1 address 2.2.2.1
set security ike gateway g1 address 3.3.3.1
set security ike gateway g1 dead-peer-detection interval 10
set security ike gateway g1 dead-peer-detection threshold 3
set security ike gateway g1 external-interface fe-0/0/0
set security ipsec policy p1 proposal-set standard
set security ipsec vpn v1 bind-interface st0.0
set security ipsec vpn v1 ike gateway g1
set security ipsec vpn v1 ike ipsec-policy p1
set security ipsec vpn v1 establish-tunnels immediately

The first address in the order of configuration is the one chosen to negotiate the tunnel:


gateway g1 {
            ike-policy p1;
            address [ 2.2.2.1 3.3.3.1 ];
            dead-peer-detection {
                                 interval 10;
                                 threshold 3;
                                 }
            external-interface fe-0/0/0;
            }

The above configuration is in dead-peer-detection optimal mode. It sends probes if packets were sent out (encrypted packets), but no packets were received (decrypted) for the configured interval. Three probe-packets are sent at 10 second intervals.

root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6770125 UP d570a30c806721ea ccc1572d2f763981 Main 2.2.2.1


root@srx# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 1debda06 3397/ unlim - root 500 2.2.2.1
>131073 ESP:3des/sha1 7a7dff24 3397/ unlim - root 500 2.2.2.1

As soon as the tunnel drops, dead-peer-detection comes into play. If a response is not received from the peer in 30 seconds, the failover takes place and the tunnel is negotiated with 3.3.3.1 and vice-versa.

root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6770151 UP 36a2e145e0fd2c10 b3abc0b135cf33fe Main 3.3.3.1

root@srx# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 2420b2bd 3598/ unlim - root 500 3.3.3.1
>131073 ESP:3des/sha1 5c8bb9da 3598/ unlim - root 500 3.3.3.1

Always-Send mode for dead-peer-detection:

In order to instruct the device to send dead-peer-detection requests, regardless of whether or not there is outgoing IPSec traffic to the peer, the following command is also needed:

set security ike gateway g1 dead-peer-detection always-send
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search