Multiple VPN’s on SRX using Loopbacks

For anyone who has tried to configure a Juniper SRX and source VPN’s using a loopback (as you do with Cisco) will have run into a problem. Only one loopback is permitted per VRF (or Routing-Instance). You can assign multiple IP addresses to the lo0.nnn interface but can only source a VPN from an interface.

The following example shows a snipped from the security section of the configuration and the undocumented command ‘local-address’ is presented in RED.

** Updated 05/02/15 **
Note that using more recent versions of JunOS (12.xx.x) it transpires that RSA certificate authentication only works using the primary IP address on an interface! When Pre-Shared keys are used it multiple IP addresses still work.

security {
pki {
ca-profile MY-ROOTCA {
ca-identity ca-root;
revocation-check {
crl {
url http://x.x.x.x/myroot.crl;
refresh-interval 1;
}
}
}
ca-profile MY-SUBCA {
ca-identity ca-sub;
enrollment {
url http://x.x.x.x:80/certsrv/mscep/mscep.dll;
retry 40;
retry-interval 2;
}
revocation-check {
crl {
url http://x.x.x.x/mysubca1.crl;
refresh-interval 1;
}
}
}
auto-re-enrollment {
certificate-id MY-CERT
ca-profile-name MY-SUBCA;
challenge-password "MYPASSWORD"
re-enroll-trigger-time-percentage 15;
re-generate-keypair;
}
}
}
ike {
proposal MY-IKE-PROPOSAL {
authentication-method rsa-signatures;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
lifetime-seconds 420;
}
policy MY-IKE-POLICY {
mode main;
description "CESG Interim PRIME-Compliant IKE Policy";
proposals MY-IKE-PROPOSAL;
certificate {
local-certificate MYCERT;
peer-certificate-type x509-signature;
}
}
gateway REMOTE-GW1 {
ike-policy MY-IKE-POLICY;
address x.x.x.1;
local-address x.x.x.100;
external-interface lo0.1;
}
gateway REMOTE-GW2 {
ike-policy MY-IKE-POLICY;
address x.x.x.2;
local-address x.x.x.101;
external-interface lo0.1;
}
}
ipsec {
proposal MY-IPSEC-PROPOSAL {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
lifetime-seconds 420;
}
policy MY-IPSEC-POLICY {
perfect-forward-secrecy {
keys group5;
}
proposals MY-IPSEC-PROPOSAL;
}
vpn REMOTE-VPN1 {
bind-interface st0.1;
ike {
gateway REMOTE-GW1;
ipsec-policy MY-IPSEC-POLICY;
}
establish-tunnels immediately;
}
vpn REMOTE-VPN2 {
bind-interface st0.2;
ike {
gateway REMOTE-GW2;
ipsec-policy MY-IPSEC-POLICY;
}
establish-tunnels immediately;
}
}
This entry was posted in Juniper, Security. Bookmark the permalink.