also extremely helpful in high traffic profile tunnels on higher end srx's
with multiple SPCs
combined with the shell command "kmd -T source_add:dest_add" you can load
balance your ipsec traffic against lower usage SPCs and improve overall
performance and throughput :)
On Tue, May 6, 2014 at 9:1
Well I will be sure to set that up in the LAB next time around!
Thank you.
//Mattias
On Tue, May 6, 2014 at 3:23 PM, Mike Devlin wrote:
> also extremely helpful in high traffic profile tunnels on higher end srx's
> with multiple SPCs
>
> combined with the shell command "kmd -T source_add:dest
In the IKE gateway configuration there is a hidden command "local-address",
so assuming your hub is using 3 addresses and you want to use the 2nd
address for ipsec termination
edit interface ge-0/0/0.0 family inet
set address 1.1.1.1/29
set address 1.1.1.2/29
set address 1.1.1.3/29
top
in your s
I think Mike was hinting at the hidden property ’local-address’ to help select
source address from an interface that has more than on address configured.
You won’t see it in the help, but if you enter this:
set security ike gateway GATE local-address x.y.z.w
it will work.
This way you
A little vague question but I will try.
The Hub is dynamic (PKI + Distinguished names).
Spokes connect to the external IF of the HUB.
Jeff, regarding Loopbacks. Would you configure an IP from the extrenal
scope (have a /29) as Loopback to run the VPN via?
Never though of having a loopback in the
are using local-address config line under edit security ike gateway blah?
On Tue, May 6, 2014 at 8:24 AM, Mattias Gyllenvarg wrote:
> Turns out the HUB node can not be on use a "secondary" IP as the Gateway
> IP for the IPsec termination.
> This workes on SRX240 in a very similar installation.
You might consider (at least as a workaround) using lt- interfaces as
"additional loopbacks". I've had success using lt- ints as holders of a gateway
IP when, for reasons like what you mentioned, I didn't want them on a physical
interface and couldn't make it work on a loopback (not being able t
Turns out the HUB node can not be on use a "secondary" IP as the Gateway IP
for the IPsec termination.
This workes on SRX240 in a very similar installation. But not on the
SRX210HE2 in this installation.
//Mattias Gyllenvarg
On Fri, May 2, 2014 at 5:07 PM, Mike Devlin wrote:
> config please
>
config please
On Fri, May 2, 2014 at 9:33 AM, Mattias Gyllenvarg wrote:
> Hi All
>
> I have been cracking my skull on this one for a while now and I am not
> getting anywhere I want to go. So, here is a nut for anyone proficient in
> Site-To-Site VPN with PKI and Distinguished names on SRX.
>
>
Hi All
I have been cracking my skull on this one for a while now and I am not
getting anywhere I want to go. So, here is a nut for anyone proficient in
Site-To-Site VPN with PKI and Distinguished names on SRX.
TLDR; New installation of a setup I already have working on a global scale.
Only differ
10 matches
Mail list logo
