Hello Jonathan, let me know which junos version are u using?
You should use two st0.x interfaces like st0.1 and st0.2, the primary route should use st0.1 and the secondary route should use st0.2. It should be straight forward. keep using VPN monitor. Use re-key and DPD for proper tunnel failover. Let me know if you find any difficulty. regards, Muhammad Fahad Khan JNCIP - M/T # 834 IT Specialist Global Technology Services, IBM fa...@pk.ibm.com +92-301-8247638 Skype: fahad-ibm http://pk.linkedin.com/in/muhammadfahadkhan On Tue, Nov 30, 2010 at 9:19 PM, Adam Leff <a...@leff.co> wrote: > On Tue, Nov 30, 2010 at 3:58 AM, Jonathan Lassoff <j...@thejof.com> wrote: > > > On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff <a...@leff.co> wrote: > > > Also, for what it's worth, I do have multiple logical interfaces under > > st0 > > > (i.e. st0.0 and st0.1) and it is working without requiring NHTB. > > > > Without NHTB? So the "security ipsec vpn XXX" hierarchy has a > > "bind-interface" statement, but the iff hierarchy under st0 *doesn't* > > have a "next-hop-tunnel" statement? > > > > Yes. We run either BGP or OSPF over the tunnel links, so no > next-hop-tunnel > statements are required. Are you binding "st0" or the full "st0.1" > interface to your VPN? > > Here's a snippet of our config. Feel free to contact me off-list with your > config and I'm happy to give it a glance. > > in [edit security]: > ike { > policy phx1 { > mode main; > proposal-set compatible; > pre-shared-key ascii-text "<redacted>"; > } > gateway phx1 { > ike-policy phx1; > address <redacted>; > external-interface ge-4/0/0.0; > } > } > ipsec { > vpn phx1 { > bind-interface st0.1; > vpn-monitor; > ike { > gateway phx1; > ipsec-policy compatible; > } > establish-tunnels immediately; > } > } > > in [edit interfaces]: > st0 { > unit 1 { > description "VPN to PHX1"; > family inet { > address 10.10.11.8/31; > } > } > } > > > > > > > Do you have all the pre-requisites set up? i.e. st0.1 in the proper > > > security zone, a route pointed down st0.1 for the traffic to be > tunneled, > > > etc.? > > > > I'm pretty sure everything looks right (but just to me, so it's > > certainly possible that there's a bug or two in my config). st0.1 is > > in a security zone that has policies to permit vpn-monitor ICMP > > traffic, and I'm not even routing over the st0.1 interface yet, just > > pinging the remote end. > > > > Cheers, > > jof > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp