IPsec VPN Support in Multinode High Availability
IPsec VPN in Active-Backup Mode
SRX Series devices support IPsec VPN tunnels in a Multinode High Availability setup. Prior Junos OS Release 22.4R1, IPsec VPN tunnel anchors at SRG1, where SRG1 acts in stateful active / backup mode. In this mode, all VPN tunnels terminate on the same device where SRG1 is active.
Multinode High Availability establishes IPsec tunnel and performs key exchanges by:
-
Dynamically associating the floating IP address of the active SRG1 for the termination IP in routing deployment and assigns the termination IP, the virtual IP(VIP), which floats between the two devices in switching mode.
-
Generating the CA profile, when there is a need for a dynamic CA profile to authenticate the tunnel establishment, on the node where SRG1 is active.
-
Performing new authentication and loading the dynamic profile on the newly active node and clearing on the old node.
Although you can run the show commands on both active and backup nodes to
display the status of IKE and IPsec security associations, you can delete the IKE and IPsec
security associations only on the active node.
VPN service is automatically enabled when you enable the active/backup mode using the
set chassis high-availability services-redundancy-group 1 command. See
the configuration example for more details.
PKI files are synchronized to the peer node only if you enable link encryption for the ICL.
We recommend following sequence when you configure VPN with Multinode High Availability on your security device:
-
On the backup node, configure security IKE gateway, IPsec VPN, interfaces st0.x, and security zones and then commit the configuration.
-
On the active node, configure security IKE gateway, IPsec VPN, st0.x interface, security zones, and static route and commit the configuration.
You must commit the configuration on the backup node before committing configuration on the active node if you don't use the commit synchronize option.
Process Packets on Backup Node
When you use the process-packet-on-backup option in Multinode High
Availability, the Packet Forward Engine forwards packets on backup node for the
corresponding SRG. This configuration processes VPN packets on the backup node even when
the node is not in active mode; thus, eliminating the delay when backup node transitions
to the active role after a failover. The packet process continues even during the
transition period.
You can configure the process packet on backup on an SRG1 using the [set chassis
high-availability services-redundancy-group name process-packet-on-backup]
statement.
IPsec VPN in Active-Active Mode
Starting in Junos OS Release 22.4R1, you can configure Multinode High Availability to operate in active-active mode with support of multi SRG1s (SRG1+) for IPsec VPN. In this mode, some SRGs remain active on one node and some SRGs remain active on another node. A particular SRG always operates in active-backup mode; it operates in active mode on one node and backup mode on another node.
Multinode High Availability supports IPsec VPN in active-active mode with multiple SRGs (SRG1+). In this mode, you can establish multiple active tunnels from both the nodes, based on SRG activeness. Since different SRGs can be active on different nodes, tunnels belonging to these SRGs come up on both nodes independently. Having active tunnels on both the nodes enables encrypting/decrypting data traffic on both the nodes resulting in efficient use of bandwidth.
Figure 1 and Figure 2 show differences in active-backup and active-active Multinode High Availabilty IPsec VPN tunnels.
Multinode High Availability establishes IPsec tunnel and performs key exchanges by associating termination IP address (which also identifies the tunnels ending on it) to the SRG. Since different SRG1+ can be in active state or in backup state on each of the devices, Multinode High Availability steers the matching traffic effectively to the corresponding active SRG1. Multinode High Availability also maintains the SRG ID and IP prefix mapping information.
Table 1 and Table 2 provide details on impact on IPsec VPN tunnels due to change in SRG1+ changes.
| SRG1 Changes | Impact on IPSec VPN Tunnels |
|---|---|
| SRG addition | No impact on existing tunnels |
| SRG deletion |
Deletes all routes associated with the SRG. |
| SRG attribute (other than prefix-list) modification | No impact on existing tunnels |
| SRG ID modification | Deletes all existing tunnels associated with the SRG. |
| IP-prefix in prefix-list modification |
Deletes all tunnels mapping to that particular IP prefix. No impact if there is no existing tunnel mapping to the modified IP prefix. |
| SRG State Changes | Action from Multinode High Availability |
|---|---|
|
|
Deletes all data corresponding to that SRG, and resynchronizes from new the active SRG |
|
|
Deletes all data corresponding to that SRG, and resynchronizes from new the active SRG |
|
|
Not applicable |
|
|
No action |
|
|
No action |
|
|
No action |
|
|
No action (possible state transition; if Active state is not involved in either pre or post state, no action is required) |
|
|
No action (possible state transition; if Active state is not involved in either pre or post state, no action is required) |
|
|
No action (possible state transition; if Active state is not involved in either pre or post state, no action is required) |
Associate IPsec VPN Service to an SRG
Releases before 22.4R1 supported only SRG0 and SRG1, and SRG1 was associated to IPsec VPN by default. In 22.4R1, an SRG is not associated to the IPSec VPN service by default. You must associate the IPsec VPN service to any of the multiple SRGs by:
- Specifying IPsec as managed service
Ex:
[set chassis high-availability services-redundancy-group <id> managed-services ipsec] - Creating an IP prefix list
Ex:
[set chassis high-availability services-redundancy-group <id> prefix-list <name>][set policy-options prefix-list <name> <IP address>
When you have multiple SRGs in your Multinode High Availability setup, some SRGs are in active state on one node and some SRGs are active on another node. You can anchor certain IPsec tunnels to particular node (SRX Series firewall) by configuring an IP prefix list.
In IPsec VPN configuration, an IKE gateway initiates and terminates network connections between two security devices. The local end (local IKE gateway) is the SRX Series interface that initiates IKE negotiations. Local IKE gateway has a local IP address, a publicly routable IP address on the firewall, which the VPN connection uses as the endpoint.
IP prefix list includes a list of IPv4 or IPv6 address prefixes, which are used as local address of an IKE gateway. You can associate these IP prefixes (prefix-list) with a specified SRG1 to advertise local address of IKE gateway with a higher preference according to state of the SRG.
To anchor a certain IPsec VPN tunnel to a particular security device, then you must:
-
Create an IP prefix list by including the local address of IKE gateway and associate the IP prefix list to the SRG:
Example:
user@host# set chassis high-availability services-redundancy-group 1 prefix-list lo0_1 user@host# set chassis high-availability services-redundancy-group 2 prefix-list lo0_2 user@host# set policy-options prefix-list lo0_1 10.11.0.1/32 user@host# set policy-options prefix-list lo0_2 10.11.1.1/32 user@host# set interfaces lo0 description untrust user@host# set interfaces lo0 unit 0 family inet address 10.11.0.1/32 user@host# set interfaces lo0 unit 0 family inet address 10.11.1.1/32
-
Associate/enable IPsec VPN to the SRG.
Example:
user@host# set chassis high-availability services-redundancy-group 1 managed-services ipsec user@host# set chassis high-availability services-redundancy-group 2 managed-services ipsec
This configuration allows you to selectively and flexibly associate IPsec VPN to one of the multiple SRGs configured on SRX Series device in a Multinode High Availability setup.
You can check the mapping of IKE/IPsec objects to the SRG by using the following command:
user@host# show chassis high-availability information detail
.........
Services Redundancy Group: 1
Deployment Type: SWITCHING
Status: BACKUP
Activeness Priority: 200
Hold Timer: 1
Services: [ IPSEC ]
Process Packet In Backup State: NO
Control Plane State: NOT READY
System Integrity Check: COMPLETE
Peer Information:
Failure Events: NONE
Peer Id: 2
Last Advertised HA Status: ACTIVE
Last Advertised Health Status: HEALTHY
Failover Readiness: N/A
.............
You can check the mapping of SRGs and IP prefix list by using the following command:
user@host> show chassis high-availability prefix-srgid-table
IP SRGID Table:
SRGID IP Prefix Routing Table
1 10.11.0.1/32 rt-vr
1 10.19.0.1/32 rt-vr
1 10.20.0.1/32 rt-vr
2 10.11.1.1/32 rt-vr
2 10.19.1.1/32 rt-vr
2 10.20.1.1/32 rt-vr
If you do not configure a prefix list, you'll get the following warning message:
user@host> show chassis high-availability prefix-srgid-table
Warning: prefix list not configured
See Example: Configure IPSec VPN in Active-Active Multinode High Availability in a Layer 3 Network for details.