Multiple VPN’s on SRX using Loopbacks

For anyone who has tried to configure a Juniper SRX and source VPN’s using a loopback (as you do with Cisco) will have run into a problem. Only one loopback is permitted per VRF (or Routing-Instance). You can assign multiple IP addresses to the lo0.nnn interface but can only source a VPN from an interface.

The following example shows a snipped from the security section of the configuration and the undocumented command ‘local-address’ is presented in RED.

** Updated 05/02/15 **
Note that using more recent versions of JunOS (12.xx.x) it transpires that RSA certificate authentication only works using the primary IP address on an interface! When Pre-Shared keys are used it multiple IP addresses still work.

security {
    pki {
        ca-profile MY-ROOTCA {
            ca-identity ca-root;
            revocation-check {
                crl {
                    url http://x.x.x.x/myroot.crl;
                    refresh-interval 1;
                }
            }
        }
        ca-profile MY-SUBCA {
            ca-identity ca-sub;
            enrollment {
                url http://x.x.x.x:80/certsrv/mscep/mscep.dll;
                retry 40;
                retry-interval 2;
            }
            revocation-check {
                crl {
                    url http://x.x.x.x/mysubca1.crl;
                    refresh-interval 1;
                }
            }
        }
        auto-re-enrollment {
            certificate-id MY-CERT
                ca-profile-name MY-SUBCA;
                challenge-password "MYPASSWORD"
                re-enroll-trigger-time-percentage 15;
                re-generate-keypair;
            }
        }
    }
    ike {
        proposal MY-IKE-PROPOSAL {
            authentication-method rsa-signatures;
            dh-group group5;
            authentication-algorithm sha1;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 420;
        }
        policy MY-IKE-POLICY {
            mode main;
            description "CESG Interim PRIME-Compliant IKE Policy";
            proposals MY-IKE-PROPOSAL;
            certificate {
                local-certificate MYCERT;
                peer-certificate-type x509-signature;
            }
        }
        gateway REMOTE-GW1 {
            ike-policy MY-IKE-POLICY;
            address x.x.x.1;
            local-address x.x.x.100;
            external-interface lo0.1;
        }
        gateway REMOTE-GW2 {
            ike-policy MY-IKE-POLICY;
            address x.x.x.2;
            local-address x.x.x.101;
            external-interface lo0.1;
        }
    }
    ipsec {
        proposal MY-IPSEC-PROPOSAL {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-128-cbc;
            lifetime-seconds 420;
        }
        policy MY-IPSEC-POLICY {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals MY-IPSEC-PROPOSAL;
        }
        vpn REMOTE-VPN1 {
            bind-interface st0.1;
            ike {
                gateway REMOTE-GW1;
                ipsec-policy MY-IPSEC-POLICY;
            }
            establish-tunnels immediately;
        }
        vpn REMOTE-VPN2 {
            bind-interface st0.2;
            ike {
                gateway REMOTE-GW2;
                ipsec-policy MY-IPSEC-POLICY;
            }
            establish-tunnels immediately;
        }
    }