[j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Use your loopback and put that in a reth. Thanks, Morgan On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger andy.litzinger.li...@gmail.com wrote: Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html ), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
I have terminated IPSec tunnels on reth interfaces entirely successfully. I would think that would work fine in your setup as well. It wasn't amazon, but it was to other remote SRXs. The ISP in question did terminate on both cluster members (two drops). That was on a branch SRX. On the 3400 YMMV but I don't see why it wouldn't work. On May 5, 2014, at 5:23 PM, Andy Litzinger wrote: Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Hi Morgan, I presume that with regards to the loopback you are referring to the external interface I use as my IPSec peer toward Amazon? what about the internal logical st interface that I need to create in order to route my internal traffic into the tunnel? How do I make that redundant? thanks! -andy On Mon, May 5, 2014 at 3:30 PM, Morgan McLean wrx...@gmail.com wrote: Use your loopback and put that in a reth. Thanks, Morgan On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger andy.litzinger.li...@gmail.com wrote: Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html ), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
You don't need to do anything special to make the st0 interface redundant, it will always run on the active node. On 06.05.2014 08:38, Andy Litzinger wrote: Hi Morgan, I presume that with regards to the loopback you are referring to the external interface I use as my IPSec peer toward Amazon? what about the internal logical st interface that I need to create in order to route my internal traffic into the tunnel? How do I make that redundant? thanks! -andy On Mon, May 5, 2014 at 3:30 PM, Morgan McLean wrx...@gmail.com wrote: Use your loopback and put that in a reth. Thanks, Morgan On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger andy.litzinger.li...@gmail.com wrote: Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Juniper.html ), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Andy, Assuming you have your own IP space, you put a public address on the loopback. Whichever member is active for lo0 will handle the IPSEC if i recall. Theres some juniper docs on the details. ST0 will always be on which ever node is primary. Thanks, Morgan On Mon, May 5, 2014 at 5:37 PM, Andrew Jones a...@jonesy.com.au wrote: You don't need to do anything special to make the st0 interface redundant, it will always run on the active node. On 06.05.2014 08:38, Andy Litzinger wrote: Hi Morgan, I presume that with regards to the loopback you are referring to the external interface I use as my IPSec peer toward Amazon? what about the internal logical st interface that I need to create in order to route my internal traffic into the tunnel? How do I make that redundant? thanks! -andy On Mon, May 5, 2014 at 3:30 PM, Morgan McLean wrx...@gmail.com wrote: Use your loopback and put that in a reth. Thanks, Morgan On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger andy.litzinger.li...@gmail.com wrote: Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/ NetworkAdminGuide/Juniper.html ), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC
Further to Morgan and Andrew's comments, the st0 interface will follow whichever interface you have bound to the external-interface in your IKE Gateway configuration (ge-0/0/0.0 in the AWS example), so if you bind this to a reth (and have the st0 interface in the same redundancy group) you'll be golden. On 6 May 2014, at 10:44 am, Morgan McLean wrx...@gmail.com wrote: Andy, Assuming you have your own IP space, you put a public address on the loopback. Whichever member is active for lo0 will handle the IPSEC if i recall. Theres some juniper docs on the details. ST0 will always be on which ever node is primary. Thanks, Morgan On Mon, May 5, 2014 at 5:37 PM, Andrew Jones a...@jonesy.com.au wrote: You don't need to do anything special to make the st0 interface redundant, it will always run on the active node. On 06.05.2014 08:38, Andy Litzinger wrote: Hi Morgan, I presume that with regards to the loopback you are referring to the external interface I use as my IPSec peer toward Amazon? what about the internal logical st interface that I need to create in order to route my internal traffic into the tunnel? How do I make that redundant? thanks! -andy On Mon, May 5, 2014 at 3:30 PM, Morgan McLean wrx...@gmail.com wrote: Use your loopback and put that in a reth. Thanks, Morgan On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger andy.litzinger.li...@gmail.com wrote: Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon.com/AmazonVPC/latest/ NetworkAdminGuide/Juniper.html ), but I don't think it's for a cluster set-up. Here are my questions: 1 - If I want to set up a redundant secure tunnel interface (e.g. st0), should i bind it to an reth interface? 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? Any tips or tricks you care to share? regards, -andy ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp