Thanks for the help all. The tunnels are up and working great. I have to schedule a maintenance window to verify that st follows the active cluster member. Assume it will work- i'll report back only if it doesn't :)
On Mon, May 5, 2014 at 5:50 PM, Ben Dale <[email protected]> wrote: > Further to Morgan and Andrew's comments, the st0 interface will follow > whichever interface you have bound to the "external-interface" in your IKE > Gateway configuration (ge-0/0/0.0 in the AWS example), so if you bind this > to a reth (and have the st0 interface in the same redundancy group) you'll > be golden. > > > > On 6 May 2014, at 10:44 am, Morgan McLean <[email protected]> wrote: > > > Andy, > > > > Assuming you have your own IP space, you put a public address on the > > loopback. Whichever member is active for lo0 will handle the IPSEC if i > > recall. > > > > Theres some juniper docs on the details. ST0 will always be on which ever > > node is primary. > > > > Thanks, > > Morgan > > > > > > On Mon, May 5, 2014 at 5:37 PM, Andrew Jones <[email protected]> wrote: > > > >> You don't need to do anything special to make the st0 interface > redundant, > >> it will always run on the active node. > >> > >> > >> On 06.05.2014 08:38, Andy Litzinger wrote: > >> > >>> Hi Morgan, > >>> > >>> I presume that with regards to the loopback you are referring to the > >>> external interface I use as my IPSec peer toward Amazon? > >>> > >>> what about the internal logical st interface that I need to create in > >>> order > >>> to route my internal traffic into the tunnel? How do I make that > >>> redundant? > >>> > >>> thanks! > >>> -andy > >>> > >>> > >>> On Mon, May 5, 2014 at 3:30 PM, Morgan McLean <[email protected]> > wrote: > >>> > >>> Use your loopback and put that in a reth. > >>>> > >>>> Thanks, > >>>> Morgan > >>>> > >>>> > >>>> On Mon, May 5, 2014 at 3:23 PM, Andy Litzinger < > >>>> [email protected]> wrote: > >>>> > >>>> Hi All, > >>>>> Two related questions. I have a pair of SRX 3400s in an > >>>>> Active/Passive > >>>>> cluster. They rely on an external gateway for internet access (i.e. > my > >>>>> ISPs don't terminate on the SRXs). I am setting up redundant > tunnels to > >>>>> an > >>>>> AWS VPC. Amazon has an example for J-Series ( > >>>>> > >>>>> http://docs.aws.amazon.com/AmazonVPC/latest/ > >>>>> NetworkAdminGuide/Juniper.html > >>>>> ), > >>>>> but I don't think it's for a cluster set-up. > >>>>> > >>>>> Here are my questions: > >>>>> > >>>>> 1 - If I want to set up a redundant secure tunnel interface (e.g. > st0), > >>>>> should i bind it to an reth interface? > >>>>> > >>>>> 2 - Has anyone connected an Active/Passive SRX cluster to an AWS VPC? > >>>>> Any > >>>>> tips or tricks you care to share? > >>>>> > >>>>> regards, > >>>>> -andy > >>>>> _______________________________________________ > >>>>> juniper-nsp mailing list [email protected] > >>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>>>> > >>>>> > >>>> > >>>> _______________________________________________ > >>> juniper-nsp mailing list [email protected] > >>> https://puck.nether.net/mailman/listinfo/juniper-nsp > >>> > >> > >> _______________________________________________ > >> juniper-nsp mailing list [email protected] > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > >> > > _______________________________________________ > > juniper-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
