IPsec VPN Tunnels with Chassis Clusters
SRX Series devices support IPsec VPN tunnels in a chassis cluster setup. In an active/passive chassis cluster, all VPN tunnels terminate on the same node. In an active/active chassis cluster, VPN tunnels can terminate on either node.
Understanding Dual Active-Backup IPsec VPN Chassis Clusters
In an active/passive chassis cluster, all VPN tunnels terminate on the same node, as shown in Figure 1.
In an active/active chassis cluster, VPN tunnels can terminate on either node. Both nodes in the chassis cluster can actively pass traffic through VPN tunnels on both nodes at the same time, as shown in Figure 2. This deployment is known as dual active-backup IPsec VPN chassis clusters.
The following features are supported with dual active-backup IPsec VPN chassis clusters:
Route-based VPNs only. Policy-based VPNs are not supported.
IKEv1 and IKEv2.
Digital certificate or preshared key authentication.
IKE and secure tunnel interfaces (st0) in virtual routers.
Network Address Translation-Traversal (NAT-T).
Dead peer detection.
In-service software upgrade (ISSU).
Insertion of Services Processing Cards (SPCs) on a chassis cluster device without disrupting the traffic on the existing VPN tunnels. See Understanding VPN Support for Inserting Services Processing Cards.
Dynamic routing protocols.
Secure tunnel interfaces (st0) configured in point-to-multipoint mode.
AutoVPN with st0 interfaces in point-to-point mode with traffic selectors.
IPv4-in-IPv4, IPv6-in-IPv4, IPv6-in-IPv6 and IPv4-in-IPv6 tunnel modes.
The loopback interface can be configured as the external interface for the VPN.
Dual active-backup IPsec VPN chassis clusters cannot be configured with Z-mode flows. Z-mode flows occur when traffic enters an interface on a chassis cluster node, passes through the fabric link, and exits through an interface on the other cluster node.
Example: Configuring Redundancy Groups for Loopback Interfaces
This example shows how to configure a redundancy group (RG) for a loopback interface in order to prevent VPN failure. Redundancy groups are used to bundle interfaces into a group for failover purpose in a chassis cluster setup.
This example uses the following hardware and software:
A pair of supported chassis cluster SRX Series devices
An SSG140 device or equivalent
Junos OS Release 12.1x44-D10 or later for SRX Series Services Gateways
Before you begin:
Understand chassis cluster redundant Ethernet interfaces. See Chassis Cluster Feature Guide for SRX Series Devices.
An Internet Key Exchange (IKE) gateway needs an external interface to communicate with a peer device. In a chassis cluster setup, the node on which the external interface is active selects a Services Processing Unit (SPU) to support the VPN tunnel. IKE and IPsec packets are processed on that SPU. Therefore, the active external interface decides the anchor SPU.
In a chassis cluster setup, the external interface is a redundant Ethernet interface. A redundant Ethernet interface can go down when its physical (child) interfaces are down. You can configure a loopback interface as an alternative physical interface to reach the peer gateway. Loopback interfaces can be configured on any redundancy group. This redundancy group configuration is only checked for VPN packets, because only VPN packets must find the anchor SPU through the active interface.
You must configure lo0.x in a custom virtual router, since lo0.0 is in the default virtual router and only one loopback interface is allowed in a virtual router.
Figure 3 shows an example of a loopback chassis cluster VPN topology. In this topology, the SRX Series chassis cluster device is located in Sunnyvale, California. The SRX Series chassis cluster device works as a single gateway in this setup. The SSG Series device (or a third-party device) is located in Chicago, Illinois. This device acts as a peer device to the SRX chassis cluster and it helps to build a VPN tunnel.
CLI Quick Configuration
To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the  hierarchy level, and then enter commit from configuration mode.
To configure a redundancy group for a loopback interface:
- Configure the loopback interface in one redundancy group. [edit interfaces]user@host# set lo0 redundant-pseudo-interface-options redundancy-group 1
- Configure the IP address for the loopback interface.[edit interfaces]user@host# set lo0 unit 1 family inet address 10.3.3.3/30
- Configure routing options.[edit routing-instances]user@host# set vr1 instance-type virtual-routeruser@host# set vr1 interface lo0.1user@host# set vr1 interface reth0.0user@host# set vr1 interface reth1.0user@host# set vr1 interface st0.0user@host# set vr1 routing-options static route 192.168.168.1/24 next-hop st0.0
- Configure the loopback interface as an external interface
for the IKE gateway.[edit security ike]user@host# set policy ike-policy1 mode mainuser@host# set policy ike-policy1 proposal-set standarduser@host# set policy ike-policy1 pre-shared-key ascii-text "$ABC123"user@host# set gateway t-ike-gate ike-policy ike-policy1user@host# set gateway t-ike-gate address 10.2.2.2user@host# set gateway t-ike-gate external-interface lo0.1
- Configure an IPsec proposal.[edit security ipsec]user@host# set proposal p2-std-p1 authentication-algorithm hmac-sha1-96user@host# set proposal p2-std-p1 encryption-algorithm 3des-cbcuser@host# set proposal p2-std-p1 lifetime-seconds 180user@host# set proposal p2-std-p2 authentication-algorithm hmac-sha1-96user@host# set proposal p2-std-p2 encryption-algorithm aes-128-cbcuser@host# set proposal p2-std-p2 lifetime-seconds 180user@host# set policy vpn-policy1 perfect-forward-secrecy keys group2user@host# set policy vpn-policy1 proposals p2-std-p1user@host# set policy vpn-policy1 proposals p2-std-p2user@host# set vpn t-ike-vpn bind-interface st0.0user@host# set vpn t-ike-vpn ike gateway t-ike-gateuser@host# set vpn t-ike-vpn ike proxy-identity local 10.10.10.1/24user@host# set vpn t-ike-vpn ike proxy-identity remote 192.168.168.1/24user@host# set vpn t-ike-vpn ike ipsec-policy vpn-policy1
From configuration mode, confirm your configuration by entering the show interfaces lo0, show routing-instances, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Verifying the Configuration
Verify that the configuration for redundancy groups for loopback interfaces is correct.
From operational mode, enter the show chassis cluster interfaces command.
The show chassis cluster interfaces command displays the chassis cluster interfaces information. If the status of the Redundant-pseudo-interface Information field shows the lo0 interface as Up and the status of the Redundant-ethernet Information field shows reth0, reth1, and reth2 fields as Up then your configuration is correct.