Experts, I have a quick question here.
I have to configure a route-based ipsec vpn. I am using a reth interface for the gateway interface, so that is ok, but the example HERE for "Configuring Redundancy Groups for Loopback Interfaces" seems to indicate that I also have to create a st0 interface that is redundant. Is that correct, that it is necessary to maintain HA, or does the reth interface solve that? I don't know if it is necessary or not.
The HA should take over the VPN with no problem.
Tunnel interface and gateway external interface are two different concepts, gateway external interface provides reachability to peer gateway for IKE negotiation , suppose in chassis cluster environment you can reach your peer IPSec gateway through two different Reths, if reachability through reth0 (configured as gateway external interface) is not possible but reth1 can still reach peer gateway , you tunnel will be down as peer IPsec gateway is unreachable through gateway external interface. But if you configure lo0.x as external interface it will reach to peer gateway by using reachability information from either reth , if one reht is unable to reach to peer gateway then other reth will be used by lo0.x to reach peer gateway and tunnel will not be down.
Now tunnel interface , it needs not be configured as redundant because it will use reachable information through lo0.x and tunnel sessions are synchronized over fabric link , if one cluster node goes down then tunnel will be still functional on second node as session are already synchronized
Please mark this as accepted solution if it works for you
A kudos is a good way of appreciation
Hi, So just to confirm, I should NOT use the reth interface as the gateway on my side. I should use a lo0 as an external interface? I have two reths, both are reachable externally, but you are saying that by having a lo0 interface as the gateway external interface then that maximizes the reachability---preferable to having a reth as an external. However, is it a problem that both reths are in different security zones?
Can I just put that lo0 interface in a vpn zone, and have policies that allow from other zones to that?
Then, as you say, I can just create an st0 interface (in that vpn zone), that is not redundant.
I find if I can repeat it back, then I am sure i know what you are saying. Also, i don't know if the two links that you sent were intened for me, but the second doesn't work.
Sorry , i pasted irreverent links in previous post. Exact links are pasted above
Yes making lo0.x as gateway external interface is a good idea if you can reach remote gateway through multiple reths. If one reth is not able to reach to remote external gateway then other reth will serve lo0.x. Now if both reths are in different zone then this might not serve will the design, because if one reth is unable to reach remote gateway (suppose this is primary link to reach remote gateway ) then lo0.x will try to reach remote gateway through second reth but it is in different zone so new session will be established, there might be little bit tunnel flapping.
Put lo0.x and st0.0 in vpn zone and if your design allow put both reths (through external gateway is reachable) in same zone