This have been posted before but on the "high-end" SRX such as 3600 you can not terminate IKE on lo0 [1]
"On branch SRX Series devices, the lo0 pseudointerface can be configured in any redundancy group; for example, RG0, RG1, RG2, and so on. However, on high-end SRX Series devices, the lo0 pseudointerface cannot be configured in RG0 when it is used as an IKE gateway external interface. Because a VPN is only supported in an active-passive HA environment on high-end SRX Series devices, the lo0 pseudointerface can be configured in such a setup for RG1. In a HA setup, the node on which the external interface is active selects an SPU to anchor the VPN tunnel. IKE and IPsec packets are processed on that SPU. Thus an active external interface decides the anchor SPU." [1] http://www.juniper.net/techpubs/en_US/junos12.1x45/topics/concept/security-loopback-interface-ha-for-vpn.html -bn 0216331C On Wed, Jan 22, 2014 at 2:08 PM, Morgan McLean <wrx...@gmail.com> wrote: > Hi all, > > Quick question regarding terminating IKE on a lo0 interface on a 3600 > cluster. > > > http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/concept/security-loopback-interface-ha-for-vpn.html > > According to this, it mentions putting lo0 into an RG thats not 0, which is > the one tied to RE and master node etc. Does anybody do this? Do you just > assign lo0 to redundancy group say 2, and then it just works? Anything else > we need to do? The VPN packets could come in over node 0 or node 1...so I'm > not sure exactly how this helps. > > -- > Thanks, > Morgan > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp