This describes supported use of local-address for VPN gateways
When the VPN egress interface has multiple IPs associated use of local-address can be used to select a specific IP from the egress interface for VPN use on a per VPN gateway basis
When the VPN egress interface has multiple IPs, the default selection IP used to source VPN traffic is based upon the Primary address on the interface
Use of local-address allows for specifying a specific IP from the egress interface for use of sourcing of VPN traffic on a per VPN gateway basis
The following is a listing of support:
- Prior to 12.1X44 — Hidden and unsupported
- 12.1X44 & 12.1X45 — Hidden and supported (Recommendation to encourage 12.1X46+ if possible)
- 12.1X46 — Unhidden and supported
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253root@PN-STL-RTR1# run show versionHostname: PN-STL-RTR1Model: srx210h-poeJUNOS Software Release [12.1X44-D20.3]root@PN-STL-RTR1# set lo?Possible completions:> local-identity Set the local IKE identity<----local-address Hidden entry in 12.1X44 & 12.1X45[edit security ike gateway to_spokes]root@PN-STL-RTR1# set local-address 3.3.3.3 <----Allowed completion[edit security ike gateway to_spokes]root@PN-STL-RTR1# showike-policy avpn_ikepol;address 2.2.2.2;local-identity hostname test;external-interface ge-0/0/1;local-address 3.3.3.3;root@PN-STL-RTR1# show interfaces ge-0/0/1unit 0 {family inet {address 3.3.3.3/24;address 1.1.1.1/24;}}root@PN-STL-RTR1> show interfaces ge-0/0/1.0Logical interface ge-0/0/1.0 (Index 72) (SNMP ifIndex 544)Flags: SNMP-Traps 0x0 Encapsulation: ENET2Input packets : 137Output packets: 283Security: Zone: untrust2Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrpospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftpident-reset http https ike netconf ping reverse-telnet reverse-ssh rloginrpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lspingntp sip r2cpProtocol inet, MTU: 1500Flags: Sendbcast-pkt-to-re, Is-PrimaryAddresses, Flags: Is-Preferred Is-PrimaryDestination: 1.1.1/24, Local: 1.1.1.1, Broadcast: 1.1.1.255Addresses, Flags: Is-PreferredDestination: 3.3.3/24, Local: 3.3.3.3, Broadcast: 3.3.3.255root@PN-STL-RTR1> show security ike security-associations detailIKE peer 2.2.2.2, Index 2590165, Gateway Name: to_spokesRole: Initiator, State: UPInitiator cookie: 99b31ead59b69a49, Responder cookie: 2ed2f9920dd7761dExchange type: Aggressive, Authentication method: Pre-shared-keysLocal: 3.3.3.3:500, Remote: 2.2.2.2:500 <---Use of local-address specified in IKE configuration