Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IPsec VPN Tunnels with Chassis Clusters

SRX Series Firewall support IPsec VPN tunnels in a chassis cluster setup. In an active/passive chassis cluster, all VPN tunnels terminate on the same node. In an active/active chassis cluster, VPN tunnels can terminate on either node.

Understanding Dual Active-Backup IPsec VPN Chassis Clusters

In an active/passive chassis cluster, all VPN tunnels terminate on the same node, as shown in Figure 1.

Figure 1: Active/Passive Chassis Cluster with IPsec VPN TunnelsActive/Passive Chassis Cluster with IPsec VPN Tunnels

In an active/active chassis cluster, VPN tunnels can terminate on either node. Both nodes in the chassis cluster can actively pass traffic through VPN tunnels on both nodes at the same time, as shown in Figure 2. This deployment is known as dual active-backup IPsec VPN chassis clusters.

Figure 2: Dual Active-Backup IPsec VPN Chassis ClustersDual Active-Backup IPsec VPN Chassis Clusters

The following features are supported with dual active-backup IPsec VPN chassis clusters:

  • Route-based VPNs only. Policy-based VPNs are not supported.

  • IKEv1 and IKEv2.

  • Digital certificate or preshared key authentication.

  • IKE and secure tunnel interfaces (st0) in virtual routers.

  • Network Address Translation-Traversal (NAT-T).

  • VPN monitoring.

  • Dead peer detection.

  • In-service software upgrade (ISSU).

  • Insertion of Services Processing Cards (SPCs) on a chassis cluster device without disrupting the traffic on the existing VPN tunnels. See VPN Support for Inserting Services Processing Cards.

  • Dynamic routing protocols.

  • Secure tunnel interfaces (st0) configured in point-to-multipoint mode.

  • AutoVPN with st0 interfaces in point-to-point mode with traffic selectors.

  • IPv4-in-IPv4, IPv6-in-IPv4, IPv6-in-IPv6 and IPv4-in-IPv6 tunnel modes.

  • Fragmented traffic.

  • The loopback interface can be configured as the external interface for the VPN.

Dual active-backup IPsec VPN chassis clusters cannot be configured with Z-mode flows. Z-mode flows occur when traffic enters an interface on a chassis cluster node, passes through the fabric link, and exits through an interface on the other cluster node.

Example: Configuring Redundancy Groups for Loopback Interfaces

This example shows how to configure a redundancy group (RG) for a loopback interface in order to prevent VPN failure. Redundancy groups are used to bundle interfaces into a group for failover purpose in a chassis cluster setup.

Requirements

This example uses the following hardware and software:

  • A pair of supported chassis cluster SRX Series Firewall

  • An SSG140 device or equivalent

  • Two switches

  • Junos OS Release 12.1x44-D10 or later for SRX Series Firewall

Before you begin:

Understand chassis cluster redundant Ethernet interfaces. See Chassis Cluster User Guide for SRX Series Devices.

Overview

An Internet Key Exchange (IKE) gateway needs an external interface to communicate with a peer device. In a chassis cluster setup, the node on which the external interface is active selects a Services Processing Unit (SPU) to support the VPN tunnel. IKE and IPsec packets are processed on that SPU. Therefore, the active external interface decides the anchor SPU.

In a chassis cluster setup, the external interface is a redundant Ethernet interface. A redundant Ethernet interface can go down when its physical (child) interfaces are down. You can configure a loopback interface as an alternative physical interface to reach the peer gateway. Loopback interfaces can be configured on any redundancy group. This redundancy group configuration is only checked for VPN packets, because only VPN packets must find the anchor SPU through the active interface.

You must configure lo0.x in a custom virtual router, since lo0.0 is in the default virtual router and only one loopback interface is allowed in a virtual router.

Figure 3 shows an example of a loopback chassis cluster VPN topology. In this topology, the SRX Series Firewall chassis cluster device is located in Sunnyvale, California. The SRX Series Firewall chassis cluster device works as a single gateway in this setup. The SSG Series device (or a third-party device) is located in Chicago, Illinois. This device acts as a peer device to the SRX chassis cluster and it helps to build a VPN tunnel.

Figure 3: Loopback Interface for Chassis Cluster VPNLoopback Interface for Chassis Cluster VPN

Configuration

Procedure

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure a redundancy group for a loopback interface:

  1. Configure the loopback interface in one redundancy group.

  2. Configure the IP address for the loopback interface.

  3. Configure routing options.

  4. Configure the loopback interface as an external interface for the IKE gateway.

  5. Configure an IPsec proposal.

Results

From configuration mode, confirm your configuration by entering the show interfaces lo0, show routing-instances, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify that the configuration for redundancy groups for loopback interfaces is correct.

Action

From operational mode, enter the show chassis cluster interfaces command.

Meaning

The show chassis cluster interfaces command displays the chassis cluster interfaces information. If the status of the Redundant-pseudo-interface Information field shows the lo0 interface as Up and the status of the Redundant-ethernet Information field shows reth0, reth1, and reth2 fields as Up then your configuration is correct.