Back to Blog
Vpn monitor in srx6/17/2023 ![]() Set security ike gateway ike-gate-cfgr address 98.0.0.2 Set security ike gateway ike-gate-cfgr ike-policy ike-policy-cfgr # Configure IKE gateway with peer IP address, IKE policy and outgoing interface Set security ike policy ike-policy-cfgr pre-shared-key ascii-text "_YouHackersStayAwayFromMyPassword_" Set security ike policy ike-policy-cfgr proposal-set standard Set security ike policy ike-policy-cfgr mode main # Configure address book entries for each zone Set security zones security-zone untrust host-inbound-traffic system-services ike #set security zones security-zone trust host-inbound-traffic system-services all Set security zones security-zone vpn interfaces st0.0 # Configure security zones, assign interfaces to the zones & host-inbound services for each zone Set routing-options static route 192.168.4.0/24 next-hop st0.0 Set routing-options static route 192.168.3.0/24 next-hop st0.0 Set routing-options static route 192.168.1.0/24 next-hop st0.0 Set interfaces st0.0 family inet address 10.2.2.2/24 # Configure interface IP and route for tunnel traffic Juniper configuration prepared by this tool: Generated Configuration (Route-based): Please find below my configuration for both ends:ġ. The goal is to have Site 4 (Fedora/CentOS) connect to Site 1: When I try to connect my Linux box to the Juniper, Juniper always shows 0 tunnels up. I am using Fedora/CentOS Linux and have a Juniper SRX210 gateway configured as a site-to-site IPsec VPN. In this way you can configure IP monitoring in SRX Cluster depending upon your scenario.It's been almost more than a week, but I seem to have no answer for this and can't really figure out how to solve this: Now, in our scenario, if the primary Internet link between switch and ISP fails, then node1 will become primary for the chassis cluster and the Internet traffic will now be sent by node 1 via secondary Internet link. show chassis cluster ip-monitoring status redundancy-group 1Īs you can see node 0 and node 1 is reachable. To view the IP monitoring status type the following command. The SRX redundancy groups configuration looks like this, So IP monitoring feature must be configured in order to switch the SRX cluster node if one of the link between switch and Internet fails. In case as shown below if one of the internet link between switch and ISP fails, then the Internet connection will not be available. ![]() The public IP address configured on Reth0 is 2.2.2.2/29 and the gateway is 2.2.2.1 to reach the Internet. As seen in the diagram below, we have SRX node 0 as primary and node 1 as secondary. In our scenario, we have active/passive SRX cluster configured already. Generally, the IP to be monitored is the gateway IP address. You can easily configure IP monitoring in SRX cluster. IP monitoring allows you to monitor specific IP address and when the specified IP address is unreachable, the fail-over is initiated. Interface monitor feature configured in redundancy group is unable to accomplish such failover, so there is other feature called IP monitor. In Juniper SRX cluster, you can configure fail-over in a way that if a specified IP address is unreachable then failover is initiated. There might be case in our network where we want to fail-over to secondary node when the Internet connection breaks or link breaks.
0 Comments
Read More
Leave a Reply. |