Support for VPN on HA Nodes in Multinode High Availability Solution
VPN service is automatically enabled when you enable the active/backup mode using set chassis high-availability services-redundancy-group 1 command. The multinode high availability solution allows you to synchronize IKE negotiations from active to the backup. The inter chassis link (ICL) connects the active and backup nodes for exchange of the synchronization data. See Multinode High Availability.
IPsec feature is supported on multinode HA. IPsec runs actively on one node (or active node). It can failover to the secondary node (or backup node). IKE negotiations occurs from active node and the states are synchronized with the backup node. After synchronization, the backup node will be ready for mastership role and continues without bringing down the tunnels after switchover. You can run the show command(s) on both active and backup nodes to display the status of IKE and IPsec security associations. You can delete the IKE and IPsec security associations only on the active node.
When you enable multinode high availability feature, the dynamic CA profiles are loaded only on the node during the IKE negotiation. If a failover occurs, the new active node undergoes a new IKE negotiation and loads the dynamic CA certificates as part of that negotiation. When PKID restarts, dynamic CA certificates are deleted only from the node where PKID was restarted.
Now lets discuss the scenario how to enable VPN in active/backup mode in Multinode High Availability solution. First, you must configure SRG1 to enable active/backup mode in Multinode High Availability.
Ensure that the tunnels are anchored in lo0 interface. For this, you need to configure IKE tunnel end point IP address on local lo0.x interface (where ’x’ represents the interface subunit) on both the active and backup devices and this IP is called floating IP. This lo0.x is now configured as the external interface for IKE gateway and the floating IP is configured as local address. Route on the adjacent routers for this floating IP address will be pointing to the active device. This ensures that at any given point, the IKE negotiation will initiate from the active device.
Figure 1 shows both active and backup SRX Series devices with floating IP address.
Following are the steps to configure VPN and assign the same floating IP address to the active and backup node. Note that in this example, loopback interface (lo0.0) is used as external interface and loopback address (18.104.22.168) is assigned to the local address.