Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Example: Configuring a Single SRX Series Device in a Branch Office

This example provides a step-by-step procedure for configuring and commands for verifying a chassis cluster on a single SRX Series device in a branch office.


This example uses the following hardware and software components:

  • SRX240 Services Gateways

  • Junos OS Release 12.1 or later


This configuration example has been tested using the software release listed and is assumed to work on all later releases.


To implement a link-level high availability deployment, each branch office requires two WAN connections and two IPsec virtual private network (VPN) tunnels for each data center. Traffic is load-balanced across each pair of tunnels. Whenever traffic is directed to a given data center, sessions are load-balanced in a round-robin fashion across each IPsec tunnel going to that data center. In turn, the tunnels are configured in such a way that each tunnel uses a different egress link, resulting in a balance of the upstream links for VPN traffic.


Figure 1 shows a link-level redundancy configuration with connection to a data center. Note that even though multiple data centers might be used, from the branch high availability perspective, the configuration is identical. Only the IPsec tunnel configurations and their route settings change. For simplicity, only the IPsec configuration to one of the data centers is shown. A sample configuration for setting up redundant IPsec VPN tunnels on an SRX Series device is shown.

Figure 1: Link-Level Redundant WAN Connectivity ArchitectureLink-Level Redundant WAN Connectivity Architecture

Figure 2 shows the zone configuration. VPN tunnels are part of a separate zone named the VPN zone. Also when designing security policies, the VPN tunnels must be formed as part of a separate zone because traffic that goes to the data centers (or other branches) exits through this zone.

Figure 2: Security Zones On An SRX Series DeviceSecurity Zones On An SRX Series Device


Configuring Redundant IPsec VPN Tunnels on an SRX Series Device

Step-by-Step Procedure

To configure redundant IPsec VPN tunnels:

  1. Specify global VPN settings.

  2. Configure the IKE policy for main mode, predefined standard proposal set, and preshared key.

  3. Configure the IKE gateways with a peer IP address, an IKE policy, and an outgoing interface.

  4. Configure the IPsec policy and the binding for tunnel interface st0.0

    In this example, use the standard proposal set. However, you can create a unique proposal and then specify it in the IPsec policy, if needed.

  5. Configure the binding for the tunnel interface st0.1

  6. Configure both st0.0 and st0.1 interface multipoints.

  7. Configure the static route for both the tunnel interfaces.

  8. Configure the management zone.

  9. Configure the trust zone.

  10. Configure the untrust zone.

  11. Configure security zones by assigning interfaces and host-inbound services.


From operational mode, confirm your configuration by entering the show configuration | no-more command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

user@host>show configuration | no-more


Confirm that the configuration is working properly.

Verifying the Tunnel Interfaces


Verify that the tunnel interfaces configuration is working properly.


From operational mode, enter the show interfaces terse | match st command.

user@host>show interfaces terse | match st


The show interfaces terse | match st command displays the status of the tunnel interfaces.

Verifying the IKE Status


Verify the IKE status.


From operational mode, enter the show security ike sa command.

user@host>show security ike sa


The show security ike sa command lists all active IKE Phase 1 SAs. If no SAs are listed, there was a problem with Phase 1 establishment. Check the IKE policy parameters and external interface settings in your configuration.

If SAs are listed, review the following information:

  • Index—This value is unique for each IKE SA, which you can use in the show security ike security-associations index detail command to get more information about the SA.

  • Remote Address—Verify that the remote IP address is correct.

  • State

    • UP—The Phase 1 SA has been established.

    • DOWN—There was a problem establishing the Phase 1 SA.

  • Mode—Verify that the correct mode is being used.

Verifying IPsec Security Associations


Verify IPsec security associations.


From operational mode, enter the show security ipsec sa command.

user@host>show security ipsec sa


The output indicates that:

  • There is a configured IPsec SA pair available . The port number 500 indicates that a standard IKE port is used. Otherwise, it is Network Address Translation-Traversal (NAT-T), 4500, or random high port.

  • The security parameter index (SPI) is used for both directions. The lifetime or usage limits of the SA is expressed either in seconds or in kilobytes. In the output, 2492/ unlim indicates Phase 2 lifetime is set to expire in 2492 seconds and there is no specified lifetime size.

  • The ID number shows the unique index value for each IPsec SA.

Verifying the Route Entries


Verify the route entries in the routing table.


From operational mode, enter the show route command.

user@host>show route


The output indicates that there are 19 routes and all the routes are active.