VPN local-address support in 12.1X44 & 12.1X45

This describes supported use of local-address for VPN gateways

When the VPN egress interface has multiple IPs associated use of local-address can be used to select a specific IP from the egress interface for VPN use on a per VPN gateway basis

When the VPN egress interface has multiple IPs, the default selection IP used to source VPN traffic is based upon the Primary address on the interface

Use of local-address allows for specifying a specific IP from the egress interface for use of sourcing of VPN traffic on a per VPN gateway basis

The following is a listing of support:

• Prior to 12.1X44 — Hidden and unsupported
• 12.1X44 & 12.1X45 — Hidden and supported (Recommendation to encourage 12.1X46+ if possible)
• 12.1X46 — Unhidden and supported
  
  root@PN-STL-RTR1# run show version Hostname: PN-STL-RTR1 Model: srx210h-poe JUNOS Software Release [12.1X44-D20.3] root@PN-STL-RTR1# set lo? Possible completions: > local-identity Set the local IKE identity <----local-address Hidden entry in 12.1X44 & 12.1X45 [edit security ike gateway to_spokes] root@PN-STL-RTR1# set local-address 3.3.3.3 <----Allowed completion [edit security ike gateway to_spokes] root@PN-STL-RTR1# show ike-policy avpn_ikepol; address 2.2.2.2; local-identity hostname test; external-interface ge-0/0/1; local-address 3.3.3.3; root@PN-STL-RTR1# show interfaces ge-0/0/1 unit 0 { family inet { address 3.3.3.3/24; address 1.1.1.1/24; } } root@PN-STL-RTR1> show interfaces ge-0/0/1.0 Logical interface ge-0/0/1.0 (Index 72) (SNMP ifIndex 544) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 137 Output packets: 283 Security: Zone: untrust2 Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp Protocol inet, MTU: 1500 Flags: Sendbcast-pkt-to-re, Is-Primary Addresses, Flags: Is-Preferred Is-Primary Destination: 1.1.1/24, Local: 1.1.1.1, Broadcast: 1.1.1.255 Addresses, Flags: Is-Preferred Destination: 3.3.3/24, Local: 3.3.3.3, Broadcast: 3.3.3.255 root@PN-STL-RTR1> show security ike security-associations detail IKE peer 2.2.2.2, Index 2590165, Gateway Name: to_spokes Role: Initiator, State: UP Initiator cookie: 99b31ead59b69a49, Responder cookie: 2ed2f9920dd7761d Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 3.3.3.3:500, Remote: 2.2.2.2:500 <---Use of local-address specified in IKE configuration

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53

  root@PN-STL-RTR1# run show version Hostname: PN-STL-RTR1 Model: srx210h-poe JUNOS Software Release [12.1X44-D20.3]   root@PN-STL-RTR1# set lo? Possible completions: > local-identity Set the local IKE identity                       <----local-address Hidden entry in 12.1X44 & 12.1X45 [edit security ike gateway to_spokes] root@PN-STL-RTR1# set local-address 3.3.3.3    <----Allowed completion   [edit security ike gateway to_spokes] root@PN-STL-RTR1# show ike-policy avpn_ikepol; address 2.2.2.2; local-identity hostname test; external-interface ge-0/0/1; local-address 3.3.3.3; root@PN-STL-RTR1# show interfaces ge-0/0/1 unit 0 {   family inet {     address 3.3.3.3/24;     address 1.1.1.1/24;   } }     root@PN-STL-RTR1> show interfaces ge-0/0/1.0 Logical interface ge-0/0/1.0 (Index 72) (SNMP ifIndex 544) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Input packets : 137 Output packets: 283 Security: Zone: untrust2 Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp Protocol inet, MTU: 1500 Flags: Sendbcast-pkt-to-re, Is-Primary Addresses, Flags: Is-Preferred Is-Primary Destination: 1.1.1/24, Local: 1.1.1.1, Broadcast: 1.1.1.255 Addresses, Flags: Is-Preferred Destination: 3.3.3/24, Local: 3.3.3.3, Broadcast: 3.3.3.255     root@PN-STL-RTR1> show security ike security-associations detail IKE peer 2.2.2.2, Index 2590165, Gateway Name: to_spokes Role: Initiator, State: UP Initiator cookie: 99b31ead59b69a49, Responder cookie: 2ed2f9920dd7761d Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 3.3.3.3:500, Remote: 2.2.2.2:500          <---Use of local-address specified in IKE configuration