Circling back on this... with my question about my JSC remote access vpn
not working with my current MNHA deployment type (using the switching
(def gw) mode)...I've heard various things about my needing to rethink
the way I'm testing MNHA, like needing to go with "deployment-type
routing", enable IPsec encryption on my ha icl, and I think a few other
things...
Using a link provided to me...I found the following that seems to work.
https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/concept/mnha-ipsec-vpn.html
Under "Associate IPsec VPN Service to an SRG" I used the following
command for associating ipsec as a managed-service to srg 1 and now I
can connect using JSC on my windows 11 laptop, and i see ike and ipsec
sa's on both active and backup srx's... and, i can failover active srx,
and my jsc vpn fails-over too. yay! Before I celebrate too much, are
there any concerns with this?
...showing my deployment type and managed-service IPsec commands on both
srx's...
set chassis high-availability services-redundancy-group 1
deployment-type switching
...
set chassis high-availability services-redundancy-group 1
managed-services ipsec
cli output...
me@srx01> show chassis high-availability information detail | grep "^ha
peer info|peer-id|encryp|ipsec|^service.+1$|deploy"
HA Peer Information:
Peer-ID: 2 IP address: 172.21.0.1 Interface: ae3.0
Encrypted: NO Conn State: UP
Services Redundancy Group: 1
Deployment Type: SWITCHING
Services: [ IPSEC ]
me@srx02> show chassis high-availability information detail | grep "^ha
peer info|peer-id|encryp|ipsec|^service.+1$|deploy"
HA Peer Information:
Peer-ID: 1 IP address: 172.21.0.0 Interface: ae3.0
Encrypted: NO Conn State: UP
Services Redundancy Group: 1
Deployment Type: SWITCHING
Services: [ IPSEC ]
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
