Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configure IPSec VPN in Active-Active Multinode High Availability in a Layer 3 Network

SUMMARY This example shows how to configure and verify IPsec VPN for active-active Multinode High Availability setup.

Overview

In Multi-Node High Availability, participating SRX Series Firewalls operate as independent nodes in a Layer 3 network. The nodes are connected to adjacent infrastructure belonging to different networks. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. Participating nodes backup each other to ensure a fast synchronized failover in case of system or hardware failure.

You can operate Multinode High Availability in active-active mode with support of multiple services redundancy groups (SRGs). In this mode, some SRGs remain active on one node and some SRGs remain active on another node.

Multinode High Availability supports IPsec VPN in active-active mode with multiple SRGs (SRG1+). In this mode, you can establish multiple active tunnels from both the nodes, based on SRG activeness. Multinode High Availability establishes IPsec tunnel and performs key exchanges by associating termination IP address (which also identifies the tunnels ending on it) to the SRG. Since different SRG1+ can be in active state or in backup state on each of the devices, Multinode High Availability steers the matching traffic effectively to the corresponding active SRG1. Since different SRGs can be active on different nodes, tunnels belonging to these SRGs come up on both nodes independently.

Note:

We support a two-node configuration in the Multinode High Availability solution.

Requirements

This example uses the following hardware and software components:

  • Two SRX Series Firewalls (Supported devices are SRX5400, SRX5600, and SRX5800 with SPC3, IOC3, SCB3, SCB4, and RE3)

  • Junos OS Release 22.4R1

We've used two Juniper Networks MX Series Routing Platform as upstream/downstream routers in this example.

Before You Begin

  • Configure stateless firewall filtering and quality of service (QoS) as per your network requirements and have appropriate security policies to manage traffic in your network.

  • In a typical high availability deployment, you have multiple routers and switches on the northbound and southbound sides of the network. For this example, we are using two routers on both sides of SRX Series Firewalls. Ensure that you've configured upstream and downstream routers as per your network requirements.

  • Install the Junos IKE package on your SRX Series Firewalls using the request system software add optional://junos-ike.tgz command. The junos-ike package is included in your Junos software packages (Junos OS Release 20.4R1 onwards).

Topology

Figure 1 shows the topology used in this example.

Figure 1: Multinode High Availability in Layer 3 Network Multinode High Availability in Layer 3 Network

As shown in the topology, two SRX Series Firewalls (SRX-1 and SRX-2) are connected to adjacent routers on trust and untrust side forming a BGP neighborship. An encrypted logical interchassis link (ICL) connects the nodes over a routed network. The nodes communicate with each other using a routable IP address (floating IP address) over the network.

The SRX-03 device acts as a peer device to the Multinode High Availability setup and it establishes IPsec VPN tunnels with SRX-01 and SRX-02 devices.

You'll perform the following tasks to build a Multinode High Availability setup:

  • Configure a pair of SRX Series Firewalls as local and peer nodes by assigning IDs.
  • Configure services redundancy groups (SRG1 and SRG2).
  • Configure a loopback interface (lo0.0) to host the floating IP address and to reach the peer gateway. Using the loopback interface ensures that at any given point, traffic from the adjacent routers will be steered toward the floating IP address (that is, toward the active node).
  • Configure IP probes for the activeness determination and enforcement
  • Configure a signal route required for activeness enforcement and use it along with the route exists policy.
  • Configure a VPN profile for the high availability (ICL) traffic using IKEv2.
  • Configure BFD monitoring options
  • Configure a routing policy and routing options
  • Configure interfaces and zones according to your network requirement. You must allow services such as IKE for link encryption and SSH for configuration synchronization as host-inbound system services on the security zone that is associated with the ICL.

  • Create a group configuration for IPsec VPN on SRX-01 and SRX-02 devices to set up a tunnel with VPN peer device (SRX-03). Configuration groups enable you to apply common elements that are reused within the same configuration.

  • Configure IPsec VPN options to establish tunnels with SRX-03 device and enable IPsec VPN configuration synchronization on both the devices (SRX-01 and SRX-02) by using [groups] option.
  • Configure VPN peer device with IPsec VPN options.

For interchassis link (ICL), we recommend the following configuration:

  • In general, you can use Aggregated Ethernet (AE) or a revenue Ethernet port on the SRX Series Firewalls to setup an ICL connection. In this example, we've used GE ports for the ICL. We've also configured a routing instance for the ICL path to ensure maximum segmentation.

  • Do not to use the dedicated HA ports (control and fabric ports) if available on your SRX Series Firewall).
  • Set MTU of 1514
  • Allow the following services on the security zone associated with interfaces used for ICL

    • IKE, high-availability, SSH

    • Protocols depending on the routing protocol you need.

    • BFD to monitor the neighboring routes.

You can configure the following options on SRG0 and SRG1+:

You can configure the following options on SRG0 and SRG1:

  • SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.

  • SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.

  • SRG0: shutdown on failure and install on failure route options.

    When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.

  • SRG1: Active/backup signal route, deployment type, activeness priority, preemption, virtual IP address (for default gateway deployments), activeness probing and process packet on backup.

  • SRG1: BFD monitoring, IP monitoring, and interface monitoring options on SRG1.

  • SRG0: shutdown on failure and install on failure route options.

    When you configure monitoring (BFD or IP or Interface) options under SRG1, we recommend not to configure the shutdown-on-failure option under SRG0.

Table 1 shows the details on interfaces configuration used in this example.

Table 1: Interfaces and IP Address Configuration on Security Devices
Device Interface Zone IP Address Configured For
SRX-01 lo0

Untrust

10.11.0.1/32

Floating IP address

IKE Gateway address

10.12.0.1/32

IKE Gateway address

ge-0/0/2

ICL

10.22.0.2/24

Connecting ICL

ge-0/0/4

Trust

10.5.0.1/24

Connects to R2 router

ge-0/0/3

Untrust

10.3.0.2/24

Connects to R1 router
SRX-02

lo0

Untrust

10.12.0.1/32

Floating IP address

IKE Gateway address

10.11.0.1/32

IKE Gateway address

ge-0/0/2

ICL

10.22.0.1/24

Connecting ICL

ge-0/0/3

Untrust

10.2.0.2/24

Connects to R1 router

ge-0/0/4

Trust

10.4.0.1/24

Connects to R2 router
SRX-03 lo0

Untrust

10.112.0.1/32

IKE Gateway address

10.112.0.5/32

IKE Gateway address

ge-0/0/0

Untrust

10.7.0.1/24

Connects to R2 router

ge-0/0/2

Trust

10.6.0.2/24

Connects to client device
Table 2: Interfaces and IP Address Configuration on Routing Devices
Device Interface IP Address Configured for
R2 lo0

10.111.0.2/32

Loopback interface address of R2

ge-0/0/1

10.4.0.2/24

Connects to SRX-02

ge-0/0/0

10.5.0.2/24

Connects to SRX-01

ge-0/0/2

10.7.0.2/24

Connects to SRX-03 (VPN peer device)
R1 lo0

10.111.0.1/32

Loopback interface address of R1

ge-0/0/0

10.3.0.1/24

Connects to SRX-01

ge-0/0/1

10.2.0.1/24

Connects to SRX-02

Configuration

Before You Begin

Junos IKE package is required on your SRX Series Firewalls for Multinode High Availability configuration. This package is available as a default package or as an optional package on SRX Series Firewalls. See Support for Junos IKE Package for details.

If the package is not installed by default on your SRX Series firewall, use the following command to install it. You require this step for ICL encryption.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment and are provided for reference only. Actual configurations may vary based on the specific requirements of your environment.

SRX-01 Device

SRX-02 Device

SRX-3 Device

The following sections show configuration snippets on the routers required for setting up Multinode High Availability setup in the network.

R1 Router

R2 Router

Configuration

Step-by-Step Procedure

We're showing the configuration of SRX-01 in the step-by-step procedure.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Configure Interfaces.

    Use ge-0/0/3 and ge-0/0/4 interfaces to connect to the upstream and downstream routers and use ge-0/0/2 interface to set up the ICL.

  2. Configure the loopback interfaces.

    Assign IP address 10.11.0.1 and 10.12.0.1 to the loopback interface. We'll use 10.11.0.1 as the floating IP address and 10.12.0.1 as IKE gateway address.

  3. Configure security zones, assign interfaces to the zones, and specify the allowed system services for the security zones.

    Assign the interfaces ge-0/0/3 and ge-0/0/4 the trust and untrust zones respectively. Assign the lo0.0 interface to the untrust zone to connect over the IP network. Assign the interface ge-0/0/2 to the ICL zone. You use this zone to set up the ICL. Assign the secure tunnel interface to the VPN security zone.

  4. Configure both local node and peer node details such as node ID, lP addresses of local node and peer node, and the interface for the peer node.

    You'll use the ge-0/0/2 interface for communicating with the peer node using the ICL.

  5. Attach the IPsec VPN profile IPSEC_VPN_ICL to the peer node.

    You'll need this configuration to establish a secure ICL link between the nodes.

  6. Configure Bidirectional Forwarding Detection (BFD) protocol options for the peer node.

  7. Configure the services redundancy groups SRG1 and SRG2.

    In this step, you are specifying deployment type as routing because you are setting up Multinode High Availability in a Layer 3 network.

  8. Setup activeness determination parameters both SRG1 and SRG2.

    SRG1

    SRG2

    Use the floating IP address as source IP address (10.11.0.1 for SRG1 and 10.12.0.1 for SRG2) and IP addresses of the upstream routers as the destination IP address (10.111.0.1) for the activeness determination probe.

    You can configure up to 64 IP addresses for IP monitoring and activeness probing. The total 64 IP addresses is sum of the number of IPv4 and IPv6 addresses)

  9. Configure BFD monitoring parameters for the SRG1 and SRG2 to detect failures in network.

    SRG1

    SRG2

  10. Configure an active signal route required for activeness enforcement.

    SRG1

    SRG2

    The active signal route IP address you assign is used for route preference advertisement. You must specify the active signal route along with the route-exists policy in the policy-options statement.

  11. Create an IP prefix list by including the local address of IKE gateway and associate the IP prefix list to SRG1 and SRG2:

    SRG1

    SRG2

    This configuration anchors a certain IPsec VPN tunnel to a particular security device.

  12. Enable IPsec VPN service on both SRG1 and SRG2.

  13. Configure IPSec VPN options for the ICL.

    1. Define Internet Key Exchange (IKE) configuration. An IKE configuration defines the algorithms and keys used to establish a secure connection.

      For the Multinode High availability feature, you must configure the IKE version as v2-only

    2. Specify the IPsec proposal protocol and encryption algorithm. Specify IPsec options to create an IPsec tunnel between two participant devices to secure VPN communication.

      Specifying the ha-link-encryption option encrypts the ICL to secure high availability traffic flow between the nodes.

      The same VPN name ICL_IPSEC_VPN must be mentioned for vpn_profile in the set chassis high-availability peer-id <id> vpn-profile vpn_profile configuration.

  14. Configure the security policy.

    For this example, we’ve configured a policy to permit all traffic. We strongly recommend you to create security policies as per your network requirements to permit traffic that is allowed by your organizational policy and deny all other traffic. We've used the default policy for the demo purpose only in this example.

  15. Configure routing options.

  16. Configure policy options.

    Configure the active signal route 10.39.1.1 (SRG1) and 10.49.1.1 (SRG2) with the route match condition (if-route-exists). The Multinode High Availability adds this route to the routing table when the node moves to the active role. The node also starts advertising the higher preference route. Configure the backup signal route (10.39.1.2 and 10.49.1.2) to advertise the backup node with a medium priority. In case of any failures, the high availability link goes down and the current active node releases its primary role and removes the active-signal-route. Now the backup node detects the condition through its probes and transitions to the active role. The route preference is swapped to drive all the traffic to the new active node

  17. Configure BFD peering sessions options and specify liveness detection timers.

IPsec VPN Configuration (SRX-1 and SRX-2)

Use the following steps to setup IPsec VPN connection with the peer SRX Series firewall. In this example, you'll be placing all of your IPsec VPN configuration statements inside a JUNOS configuration group named vpn_config.

  1. Create a configuration group vpn_config at the top of the configuration and configure IPsec VPN specific details.

  2. Include the apply-groups statement in the configuration to inherit the statements from the vpn_config configuration group,

Configuration (SRX-03) (VPN Peer Device)

Step-By-Step Procedure

  1. Create the IKE proposal.

  2. Define IKE policies.

  3. Create an IKE gateway, define address, specify external interfaces and version.

  4. Create IPsec proposals.

  5. Create IPsec policies.

  6. Specify the IPsec proposal references (IKE gateway, IPsec policy, interface to bind, and traffic selectors).

  7. Create a security policy.

    For this example, we’ve configured a policy to permit all traffic. We strongly recommend you to create security policies as per your network requirements to permit traffic that is allowed by your organizational policy and deny all other traffic. We've used the default policy for the demo purpose only in this example.

  8. Configure the interfaces.

  9. Define security zones and add interfaces.

  10. Configure the static routes.

Results (SRX-01)

From configuration mode, confirm your configuration by entering the following commands.

If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Results (SRX-02)

From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

On your security devices, you'll get the following message that asks you to reboot the device:

Results (SRX-3) (VPN Peer Device)

From configuration mode, confirm your configuration by entering the following commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following command:

On SRX-1

On SRX-2

Meaning

Verify these details from the command output:

  • Local node and peer node details such as IP address and ID.

  • The field Encrypted: YES indicates that the traffic is protected.

  • The field Deployment Type: ROUTING indicates a Layer 3 mode configuration—that is, the network has routers on both sides.

  • The field Services Redundancy Group: 1 and Services Redundancy Group: 2 indicate the status of the SRG1 and SRG2 (active or backup) on that node.

Check Multinode High Availability Details

Purpose

View and verify the details of the Multinode High Availability setup configured on your security device.

Action

From operational mode, run the following command:

On SRX-01

Meaning

Verify these details from the command output:

  • The field Services: [ IPSEC ] indicates the associated IPSec VPN for each SRG.

  • The fields BFD Monitoring, Interface Monitoring, Split-brain Prevention Probe Info display monitoring details.

  • The fields Cold Synchronization, SRG State Change Events provide details on current status and recent changes.

  • The field Services Redundancy Group: 1 and Services Redundancy Group: 2 indicate the status of the SRG1 and SRG2 (active or backup) on that node.

In the command output, the IP addresses such as IP 180.100.1.2 are generated internally by Junos OS and these addresses do not interfere with routing tables.

Check Multinode High Availability Peer Node Status

Purpose

View and verify the peer node details.

Action

From operational mode, run the following command on SRX-01 and SRX-02:

SRX-01

SRX-02

Meaning

Verify these details from the command output:

  • Peer node details such as interface used, IP address, and ID

  • Encryption status, connection status, and cold synchronization status

  • Packet statistics across the node.

Check Multinode High Availability Service Redundancy Groups

Purpose

Verify that the SRGs are configured and working correctly.

Action

From operational mode, run the following command on both security devices:

SRG1 on SRX-02

SRG2 on SRX-02

SRG1 on SRX-01

SRG2 on SRX-01

Meaning

Verify these details from the command output:

  • Peer node details such as deployment type, status, active and back up signal routes.

  • Split-brain prevention probe, IP monitoring and BFD monitoring status.

  • Associated IP prefix table.

Verify Interchassis Link (ICL) Encryption Status

Purpose

Verify the interchassis link (ICL) status.

Action

Run the following command on SRX-01:

Meaning

The command output provides the following information:

  • The local gateway and remote gateway details.

  • The IPsec SA pair for each threads in PIC.

  • HA link encryption mode (as shown in the following line):

  • Authentication and encryption algorithms used

Verify Link Encryption Tunnel Statistics

Purpose

Verify link encryption tunnel statistics on both active and backup nodes.

Action

Run the following command on SRX-01:

Meaning

If you see packet loss issues across a VPN, you can run the show security ipsec statistics ha-link-encryption command several times to verify that the encrypted and decrypted packet counters are incrementing. You should also check whether the other error counters are incrementing.

Use the clear security ipsec security-associations ha-link-encryption command to clear all IPsec statistics.

Verify Interchassis Link Active Peers

Purpose

View only ICL active peers, but not regular IKE active peers.

Action

Run the following commands on SRX-01 and SRX-02 devices:

SRX-1

SRX-2

Meaning

Command output displays only the active peer of the ICL with details such as the peer addresses and ports the active peer is using.

Confirm VPN Status

Purpose

Confirm VPN status by checking the status of any IKE security associations at SRG level.

Action

Run the following commands on SRX-1, SRX-2, and SRX-3 (VPN peer device):

SRX-01

SRX-02

SRX-3 (VPN Peer Device)

Meaning

The output indicates that:

  • IP addresses of the remote peers.
  • The state showing UP for both remote peers indicates the successful association of Phase 1 establishment.
  • The remote peer IP address, IKE policy, and external interfaces are all correct.

Display IPsec Security Association Details

Purpose

Display the individual IPsec SA details identified by SRG IDs.

Action

Run the following command on the SRX Series Firewalls:

SRX-1

SRX-02

SRX-03

Meaning

The output displays the state of the VPN.

Display Active Peers Per SRG

Purpose

Display the list of connected active peers with peer addresses and ports they are using.

Action

Run the following commands on the SRX Series Firewalls:

SRX-01

SRX-02

Meaning

The output displays the list of connected devices with details about the peer addresses and ports used.

Display IP Prefix to SRG Mapping

Purpose

Display IP prefix to SRG mapping information.

Action

Run the following command on SRX-01 device.

Meaning

Output shows IP address prefixes mapped to SRGs in the setup.

Display BGP Session Information.

Purpose

Display summary information about BGP and its neighbors to determine if routes are received from peers.

Action

Run the following commands on the SRX Series Firewalls:

SRX-1 Device

SRX-2 Device

Meaning

The output shows that the BGP session is established and the peers are exchanging update messages.

See Also