Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring L2 HA Link Encryption tunnel

 

  • Physically connect the two devices and ensure that they are the same models.

  • Connect the dedicated control ports on node 0 and node 1.

  • Connect the user defined fabricated ports on node 0 and node 1.

To configure two chassis in cluster mode, follow the below steps.

  1. Zeroize both the SRX devices before you use for cluster. If the devices are already in cluster mode please make sure you disable them before zeroize.

    For information on how to disable chassis cluster, see Disabling a Chassis Cluster

  2. Delete the web management services.

    user@host# delete system services web-management https

  3. Configure FIPS mode and bring up the devices in FIPS mode.
    [edit]
    user@host# set groups global system fips level 2


    [edit]
    user@host# set groups global system root-authentication plain-textpassword
    New password: type password here
    Retype new password: retype password here


    [edit]
    user@host# commit
    user@host> request system reboot
  4. Configure device 1 with standard cluster commands for operating in cluster mode as node0.
    [edit]
    user@host# set groups node0 system host-name node0-host-name
    user@host# set groups node0 system backup-router gateway-address
    user@host# set groups node0 system backup-router destination value
    user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address
    user@host# set groups node1 system host-name node1-host-name
    user@host# set groups node1 system backup-router gateway-address
    user@host# set groups node1 system backup-router destination value
    user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address
    user@host# set apply-groups global
    user@host# set apply-groups “$(node)
    user@host# delete apply-groups re0
    user@host# set system ports console log-out-on-disconnect
    user@host# set chassis cluster reth-count 5
    user@host# set chassis cluster redundancy-group 0 node 0 priority 254
    user@host# set chassis cluster redundancy-group 0 node 1 priority 1
    user@host# commit
    user@host> set chassis cluster cluster-id 1 node 0 reboot

    See https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

  5. After the device 1 is up, configure HA link encryption as shown in sample configuration below, commit and reboot. device 1 needs to be configured with both node0 and node1 HA link encryption configuration before commit and reboot.
    [edit]
    user@host# set groups node0 security ike traceoptions file ikelog
    user@host# set groups node0 security ike traceoptions file size 100m
    user@host# set groups node0 security ike traceoptions flag all
    user@host# set groups node0 security ike traceoptions level 15
    user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-method pre-shared-keys
    user@host# set groups node0 security ike proposal IKE_PROP_PSK dh-group group20
    user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256
    user@host# set groups node0 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node0 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK
    user@host# prompt groups node0 security ike policy IKE_POL_PSK pre-shared-key ascii-text

    New ascii-text (secret): juniper

    Retype new ascii-text (secret): juniper

    user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PSK
    user@host# set groups node0 security ike gateway S2S_GW version v2-only
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK protocol esp
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200
    user@host# set groups node0 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20
    user@host# set groups node0 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK
    user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption
    user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW
    user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK
    user@host# set groups node1 security ike traceoptions file ikelog
    user@host# set groups node1 security ike traceoptions file size 100m
    user@host# set groups node1 security ike traceoptions flag all
    user@host# set groups node1 security ike traceoptions level 15
    user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-method pre-shared-keys
    user@host# set groups node1 security ike proposal IKE_PROP_PSK dh-group group20
    user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256
    user@host# set groups node1 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node1 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK
    user@host# prompt groups node1 security ike policy IKE_POL_PSK pre-shared-key ascii-text

    New ascii-text (secret): juniper

    Retype new ascii-text (secret): juniper

    user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PSK
    user@host# set groups node1 security ike gateway S2S_GW version v2-only
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK protocol esp
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200
    user@host# set groups node1 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20
    user@host# set groups node1 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK
    user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption
    user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW
    user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK
    user@host# set groups global interfaces fab0 fabric-options member-interfaces ge-0/0/3
    user@host# set groups global interfaces fab1 fabric-options member-interfaces ge-5/0/3
    user@host# commit
    user@host>request system reboot
  6. To proceed further with device 2 configuration and commit, you need to ensure device1 and device 2 are not reachable to each other. One way to achieve this is to power off device 1 at this point.
  7. Configure device 2 with standard cluster command for operating in cluster mode as node1
    [edit]
    user@host# set groups node0 system host-name node0-host-name
    user@host# set groups node0 system backup-router gateway-address
    user@host# set groups node0 system backup-router destination value
    user@host# set groups node0 interfaces fxp0 unit 0 family inet address node0-ip-address
    user@host# set groups node1 system host-name node1-host-name
    user@host# set groups node1 system backup-router gateway-address
    user@host# set groups node1 system backup-router destination value
    user@host# set groups node1 interfaces fxp0 unit 0 family inet address node1-ip-address
    user@host# set apply-groups global
    user@host# set apply-groups “$(node)”
    user@host# delete apply-groups re0
    user@host# set system ports console log-out-on-disconnect
    user@host# set chassis cluster reth-count 5
    user@host# set chassis cluster redundancy-group 0 node 0 priority 254
    user@host# set chassis cluster redundancy-group 0 node 1 priority 1
    user@host# commit
    user@host> set chassis cluster cluster-id 1 node 1 reboot

    See https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

  8. After the device 2 is up, configure HA link encryption as shown in sample configuration below on device 2. Device 2 needs to be configured with both node0 and node1 HA link encryption configuration. Commit on node1 (device 2), and finally reboot node1 (device 2).
    [edit]
    user@host# set groups node0 security ike traceoptions file ikelog
    user@host# set groups node0 security ike traceoptions file size 100m
    user@host# set groups node0 security ike traceoptions flag all
    user@host# set groups node0 security ike traceoptions level 15
    user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-method pre-shared-keys
    user@host# set groups node0 security ike proposal IKE_PROP_PSK dh-group group20
    user@host# set groups node0 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256
    user@host# set groups node0 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node0 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK
    user@host# prompt groups node0 security ike policy IKE_POL_PSK pre-shared-key ascii-text

    New ascii-text (secret): juniper

    Retype new ascii-text (secret): juniper

    user@host# set groups node0 security ike gateway S2S_GW ike-policy IKE_POL_PSK
    user@host# set groups node0 security ike gateway S2S_GW version v2-only
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK protocol esp
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node0 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200
    user@host# set groups node0 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20
    user@host# set groups node0 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK
    user@host# set groups node0 security ipsec vpn S2S_VPN ha-link-encryption
    user@host# set groups node0 security ipsec vpn S2S_VPN ike gateway S2S_GW
    user@host# set groups node0 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK
    user@host# set groups node1 security ike traceoptions file ikelog
    user@host# set groups node1 security ike traceoptions file size 100m
    user@host# set groups node1 security ike traceoptions flag all
    user@host# set groups node1 security ike traceoptions level 15
    user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-method pre-shared-keys
    user@host# set groups node1 security ike proposal IKE_PROP_PSK dh-group group20
    user@host# set groups node1 security ike proposal IKE_PROP_PSK authentication-algorithm sha-256
    user@host# set groups node1 security ike proposal IKE_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node1 security ike policy IKE_POL_PSK proposals IKE_PROP_PSK
    user@host# prompt groups node1 security ike policy IKE_POL_PSK pre-shared-key ascii-text

    New ascii-text (secret): juniper

    Retype new ascii-text (secret): juniper

    user@host# set groups node1 security ike gateway S2S_GW ike-policy IKE_POL_PSK
    user@host# set groups node1 security ike gateway S2S_GW version v2-only
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK protocol esp
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK authentication-algorithm hmac-sha1-96
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK encryption-algorithm aes-256-cbc
    user@host# set groups node1 security ipsec proposal IPSEC_PROP_PSK lifetime-seconds 200
    user@host# set groups node1 security ipsec policy IPSEC_POL_PSK perfect-forward-secrecy keys group20
    user@host# set groups node1 security ipsec policy IPSEC_POL_PSK proposals IPSEC_PROP_PSK
    user@host# set groups node1 security ipsec vpn S2S_VPN ha-link-encryption
    user@host# set groups node1 security ipsec vpn S2S_VPN ike gateway S2S_GW
    user@host# set groups node1 security ipsec vpn S2S_VPN ike ipsec-policy IPSEC_POL_PSK
    user@host# set groups global interfaces fab0 fabric-options member-interfaces ge-0/0/3
    user@host# set groups global interfaces fab1 fabric-options member-interfaces ge-5/0/3
    user@host# commit
    user@host> request system reboot
  9. Power ON node0 (device 1).
  10. Both the nodes will be in cluster mode with HA link encryption enabled.Note

    To enable HA link encryption on node1 in step 6, the other node needs to be in lost state for the commit to go through. So this timing needs to be taken care by you, else step 6 needs to be redone until enabling HA link encryption on node1 commit goes through.