Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Thanks for the help all. The tunnels are up and working great. I have to schedule a maintenance window to verify that st follows the active cluster member. Assume it will work- i'll report back only if it doesn't :) On Mon, May 5, 2014 at 5:50 PM, Ben Dale wrote: > Further to Morgan and And

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Further to Morgan and Andrew's comments, the st0 interface will follow whichever interface you have bound to the "external-interface" in your IKE Gateway configuration (ge-0/0/0.0 in the AWS example), so if you bind this to a reth (and have the st0 interface in the same redundancy group) you'll

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Andy, Assuming you have your own IP space, you put a public address on the loopback. Whichever member is active for lo0 will handle the IPSEC if i recall. Theres some juniper docs on the details. ST0 will always be on which ever node is primary. Thanks, Morgan On Mon, May 5, 2014 at 5:37 PM, A

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

You don't need to do anything special to make the st0 interface redundant, it will always run on the active node. On 06.05.2014 08:38, Andy Litzinger wrote: Hi Morgan, I presume that with regards to the loopback you are referring to the external interface I use as my IPSec peer toward Amazon?

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Hi Morgan, I presume that with regards to the loopback you are referring to the external interface I use as my IPSec peer toward Amazon? what about the internal logical st interface that I need to create in order to route my internal traffic into the tunnel? How do I make that redundant? thanks

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

I have terminated IPSec tunnels on reth interfaces entirely successfully. I would think that would work fine in your setup as well. It wasn't amazon, but it was to other remote SRXs. The ISP in question did terminate on both cluster members (two drops). That was on a branch SRX. On the 3

Re: [j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Use your loopback and put that in a reth. Thanks, Morgan On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger < andy.litzinger.li...@gmail.com> wrote: > Hi All, > Two related questions. I have a pair of SRX 3400s in an Active/Passive > cluster. They rely on an external gateway for internet access

[j-nsp] SRX Active/Passive cluster with redundant route based IPSec - connectivity to AWS VPC

Hi All, Two related questions. I have a pair of SRX 3400s in an Active/Passive cluster. They rely on an external gateway for internet access (i.e. my ISPs don't terminate on the SRXs). I am setting up redundant tunnels to an AWS VPC. Amazon has an example for J-Series ( http://docs.aws.amazon