IPsec VPN Traffic Flow in Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone)
In this topic, you’ll see how IPsec traffic flows in a single MX Series with ECMP based Consistent Hashing load balancing with the standalone SRX Series Firewalls.
In this topology, you must:
- Configure a single MX Series with two interfaces for the IPSEC VR and INTERNET routing instances.
- Configure the SRX Series Firewalls with the AutoVPN with the same anycast IP hosted on the loopback interface of the IKE endpoint IP address. Ensure all the SRX Series Firewalls are in IPsec responder only mode.
- The IPsec tunnels that are initiated from the IPsec initiator behind the MX Series use the same SRX Series Firewall IKE endpoint IP address with unique traffic selectors. This SRX Series Firewall uses the same traffic selector to install unique Auto Route Insertion (ARI) routes to attract the data return traffic from the server to the correct IPsec tunnel. ARI automatically inserts a static route for the remote network from the INTERNET side. A route is created based on the remote IP address configured in the traffic selector and is inserted into the IPSEC VR routing instance. See Understanding Auto route Insertion.
- Configure the forwarding table with the load balancing policy with source hash for anycast IP route. The MX Series receives the anycast IP route on IPSEC VR instance and advertises using eBGP to the MX Series on the IPSEC VR side. MX Series imports this routes on the IPSEC VR instance using load balancing consistent hash policy.
- MX Series on the TRUST side has ECMP routes for anycast IP address.
Figure 1 illustrates the step-by-step traffic flow.
Figure 1: IPsec Traffic Flow with Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out
SRX Series Firewalls (Standalone)
The MX Series is a single router configured with multiple logical interfaces towards scaled-out SRX Series Firewalls on the IPSEC VR and INTERNET VR direction.
- The IKE traffic initiated from IPsec initiator router reaches the MX Series on IPSEC VR instance and matches the ECMP anycast IP route. The traffic takes one of the ECMP next-hops to SRX Series Firewalls based on the calculated source IP based hash value.
- The SRX Series Firewalls anchors the IKE session and installs the ARI route. SRX Series Firewalls advertise the ARI route towards the INTERNET instance of the MX Series router.
- The clients connected to the IPsec initiator router initiates the traffic that passes the IPsec VPN tunnel and reaches the anchored IPsec tunnel on the SRX Series Firewall. The clear text packets out of the IPsec VPN tunnel are routed towards the INTERNET direction to reach the server.
- The IPsec data reply traffic from the server to the client reaches the MX Series on the INTERNET instance and is routed through the unique ARI route to the SRX Series Firewall where tunnel is anchored.
- The SRX Series Firewall encrypts and sends the traffic over the tunnel to the IPsec initiator and then to the client.
- When an SRX Series Firewall is down, Consistent Hashing on the MX Series router ensures that the sessions on the other SRX Series Firewall are not disturbed and only the IPsec sessions on the impacted SRX Series Firewalls are redistributed and might start a new session. DPD timers ensure traffic redistribution during SRX Series Firewall failure or the link failure.