![]() Set security ike traceoptions flag high-availabilityĪs said before, vSRX will establish the tunnel with the first address specified in the ike gateway configuration: run show security ike sa On vSRX east, we also enable traceoptions in order to monitor what’s going on: set security ike traceoptions file iketr There, of course, we only have a single address. ![]() Set security ike gateway east-gw external-interface ge-0/0/0 Set security ike gateway east-gw dead-peer-detection threshold 3 Set security ike gateway east-gw dead-peer-detection interval 2 Set security ike gateway east-gw dead-peer-detection always-send Set security ike gateway east-gw address 172.30.2.0 On the other srxs (west and oam), configurition is similar: set security ike gateway east-gw ike-policy ike-pol This failover procedure is the one allowing us to react to failures and be fault redundant. Upon a failure leading to that endpoint being unavailable, vSRX will try to establish a tunnel with the second address (192.168.6.0, vSRX oam). As a result, vSRX will establish a tunnel with that endpoint (192.168.5.0, vSRX west). The vSRX will try to create a session with the first one: 192.30.5.0. The key here is to specify two addresses. Set security ike gateway bkp-gw external-interface ge-0/0/1 Set security ike gateway bkp-gw dead-peer-detection threshold 3 Set security ike gateway bkp-gw dead-peer-detection interval 2 Set security ike gateway bkp-gw dead-peer-detection always-send Set security ike gateway bkp-gw address 172.30.6.0 Set security ike gateway bkp-gw address 172.30.5.0 On east vSRX, we define the IKE gw (we omit other configs like ike proposal and policy): set security ike gateway bkp-gw ike-policy ike-pol
0 Comments
Leave a Reply. |