so, I think I have found the solution finally.
at both sides I run this command:
show security ike security-associations
Site B showed
Index State Initiator cookie Responder cookie Mode Remote Address
<anumber> DOWN <some data> <0000000000000000> Main <correct ip>
which is logical, since the vpn IS down.
then I ran same on the other side (side A)
it showed this:
Index Remote Address State Initiator cookie Responder cookie Mode
UP Main
UP Main
UP Main
which is strange since again, the vpn is DOWN..
so, I tried to run this command:
clear security ike security-associations index <index from first one above>
and then the vpn came up again... and I finally alro removed the other "old ip" line, and now only have one line (site A)
<anumber> <newip> UP <some data> <some data> Main
and similarly site B shows
<anumber> UP <some data> <some data> Main <correct ip>
and the vpn seems stable.
I did not find this solution on any of the juniper FAQ, and googled a lot, but managed by a bit of luck to solve it. so I wanted to document it a bit here just in case someone (like me) need it.
IF: I am completely wrong here, and what happened here just luck and not related, I do hope that you will comment or edit thanks!
Junos does have DPD and you can use it in conjunction with multiple endpoint IP addresses in a single IKE tunnel.
There is a bit of info about it here (which I've copied below)
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29211&actp=RSS
SUMMARY:
This article explains how redundancy in site-to-site VPN can be achieved using multiple address in gateway and dead-peer-detection.
PROBLEM OR GOAL:
How to use different modes of dead-peer-detection for VPN failover .
CAUSE:
SOLUTION:
The gateway for VPN redundancy can be configured with the following commands :
set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24
set interfaces st0 unit 0 family inet
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1
set security ike policy p1 mode main
set security ike policy p1 proposal-set standard
set security ike policy p1 pre-shared-key ascii-text "$9$21oZjmfzCtOHqtO1RlegoJ"
set security ike gateway g1 ike-policy p1
set security ike gateway g1 address 2.2.2.1
set security ike gateway g1 address 3.3.3.1
set security ike gateway g1 dead-peer-detection interval 10
set security ike gateway g1 dead-peer-detection threshold 3
set security ike gateway g1 external-interface fe-0/0/0
set security ipsec policy p1 proposal-set standard
set security ipsec vpn v1 bind-interface st0.0
set security ipsec vpn v1 ike gateway g1
set security ipsec vpn v1 ike ipsec-policy p1
set security ipsec vpn v1 establish-tunnels immediately
The first address in the order of configuration is the one chosen to negotiate the tunnel:
gateway g1 {
ike-policy p1;
address [ 2.2.2.1 3.3.3.1 ];
dead-peer-detection {
interval 10;
threshold 3;
}
external-interface fe-0/0/0;
}
The above configuration is in dead-peer-detection optimal mode. It sends probes if packets were sent out (encrypted packets), but no packets were received (decrypted) for the configured interval. Three probe-packets are sent at 10 second intervals.
root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6770125 UP d570a30c806721ea ccc1572d2f763981 Main 2.2.2.1
root@srx# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 1debda06 3397/ unlim - root 500 2.2.2.1
>131073 ESP:3des/sha1 7a7dff24 3397/ unlim - root 500 2.2.2.1
As soon as the tunnel drops, dead-peer-detection comes into play. If a response is not received from the peer in 30 seconds, the failover takes place and the tunnel is negotiated with 3.3.3.1 and vice-versa.
root@srx# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6770151 UP 36a2e145e0fd2c10 b3abc0b135cf33fe Main 3.3.3.1
root@srx# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 2420b2bd 3598/ unlim - root 500 3.3.3.1
>131073 ESP:3des/sha1 5c8bb9da 3598/ unlim - root 500 3.3.3.1
Always-Send mode for dead-peer-detection:
In order to instruct the device to send dead-peer-detection requests, regardless of whether or not there is outgoing IPSec traffic to the peer, the following command is also needed:
set security ike gateway g1 dead-peer-detection always-send
UPDATE
I have configured this in a test lab and confirm that it works well. I have 3 devices, S3, S4 and S5.
S4 and S5 both have a basic IPSEC tunnel configured to connect to S3 (7.7.7.22 in my example). The config is dead simple and the same on both devices
ike {
gateway s3-gw {
ike-policy ike-policy;
address 7.7.7.22;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy standard-ipsec-policy {
proposal-set standard;
}
vpn s3 {
bind-interface st0.0;
ike {
gateway s3-gw;
ipsec-policy standard-ipsec-policy;
}
establish-tunnels immediately;
}
}
The device S3 has a config that is very similar to the above but has 2 gateways listed and DPD enabled.
The relevant section is in the IKE config
gateway s4-s5-gw {
address [ 7.7.7.21 192.168.211.2 ];
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
external-interface ge-0/0/1.0;
}
This brings up the tunnel as such
root@TEST-srx3> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1404200 UP 2f4f0465dc8c4556 d2e6022d0dc213c3 Main 7.7.7.21
root@TEST-srx3> show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 d4428f3 3170/ unlim - root 500 7.7.7.21
>131073 ESP:3des/sha1 5cda9108 3170/ unlim - root 500 7.7.7.21
If I deactivate the IKE/IPSEC config sections on S4 the tunnel drops and then comes back up connected to the 2nd gateway
root@TEST-srx3> show security ike security-associations
root@TEST-srx3> show security ipsec sa
Total active tunnels: 0
Then after about 30 seconds (10 x 3)
root@TEST-srx3> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1404202 UP 35e54d457be6132f 0444ae31577c71a2 Main 192.168.211.2
root@TEST-srx3> show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 93043b2 3595/ unlim - root 500 192.168.211.2
>131073 ESP:3des/sha1 e5c551e4 3595/ unlim - root 500 192.168.211.2
If you need any help post some config snippets and I'll do my best to have a look!
UPDATE 2
I have built this whole thing in a mini lab. The problem I have found is that while you can use multiple gateways in your IKE configuration you will still need to have an IPSEC tunnel per ISP on each device. This is because you have multiple source IP addresses you want to potentially make an IPSEC tunnel from.
![Lab Config](https://i.stack.imgur.com/idqYY.png)
To save me posting a lot of config each SRX (A and B) has two IPSEC tunnels configured as shown below. The things to note are I'm using a single tunnel interface on each device, these are set to multipoint. You could use multiple ones if you wanted.
This config will provide full redundancy if a single ISP at site A and/or site B goes down.
I tested this by dropping the linked between SRX-A and SRX-1 and then dropping SRX-B and SRX-4. Due to me using BGP and DPD it took just over a minute for the tunnel to come back up but worked well!
Hopefully this will ultimately help you sort out your config!
SRX-A IPSEC Config
ike {
gateway SRX-B_via_ISP1 {
ike-policy ike-policy;
address [ 6.6.6.6 5.5.5.5 ];
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
external-interface lo0.10;
local-address 7.7.7.5;
}
gateway SRX-B_via_ISP2 {
ike-policy ike-policy;
address [ 6.6.6.6 5.5.5.5 ];
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
external-interface lo0.10;
local-address 8.8.8.9;
}
}
ipsec {
policy standard-ipsec-policy {
proposal-set standard;
}
vpn SRX-B_via_ISP1 {
bind-interface st0.0;
ike {
gateway SRX-B_via_ISP1;
ipsec-policy standard-ipsec-policy;
}
establish-tunnels immediately;
}
vpn SRX-B_via_ISP2 {
bind-interface st0.0;
ike {
gateway SRX-B_via_ISP2;
ipsec-policy standard-ipsec-policy;
}
establish-tunnels immediately;
}
}
Best Answer
Actually I think most of what you are trying to achieve is answered in that document: http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
Since this kind of setup requires two routing instances (one flow based and another packet based) you should be able to use a local "LAN" IP on both sides of the SRX as long as you use two different interfaces.
The SRXes you need to use must be of "HighMemory" type IE: SRX100H (not SRX100B) to be able to support GRE fragmentation.