Hi All
I walked into the same issue today. The workaround proposed by TRUKonsult worked,
but the real problem seems to be the following. If VPNs are defined this way
lab@srxB-2# show security ipsec
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-pol;
}
}
vpn vpn2 {
bind-interface st0.1;
ike {
gateway gw2;
ipsec-policy ipsec-pol;
}
}
then st0 units are always up:
lab@srxB-2# run show interfaces st0 terse
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up up inet
st0.1 up up inet
which is making VPN failover working incorrectly (traffic is easily black-holed).
After adding "establish-tunnels immediately", the behavior changes. Only units
that actually have phase 2 SA active are up:
lab@srxB-2# show security ipsec
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-pol;
}
establish-tunnels immediately;
}
vpn vpn2 {
bind-interface st0.1;
ike {
gateway gw2;
ipsec-policy ipsec-pol;
}
establish-tunnels immediately;
}
lab@srxB-2# run show interfaces st0 terse
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up up inet
st0.1 up down inet
I am now going to ask a silly question. Is it by design? Any place where it is documented?