Loopback interface for chassis cluster VPN

An Internet Key Exchange (IKE) gateway needs an external interface to communicate with a peer device. In a chassis cluster setup, the node on which the external interface is active selects a Services Processing Unit (SPU) to support the VPN tunnel. IKE and IPsec packets are processed on that SPU. Therefore, the active external interface determines the anchor SPU. In a chassis cluster setup, this external interface can be the reth interface or a standalone interface. These interfaces can go down when the physical interfaces are down. Therefore, loopback interfaces can be used to reach the peer gateway because they are alternate physical interfaces. This feature allows the loopback interface to be configured for any redundancy group. This redundancy group configuration is only checked for VPN packets, because only VPN packets must find the anchor SPU through the active interface. On branch SRX Series devices, the lo0 pseudointerface can be configured in any redundancy group; for example, RG0, RG1, RG2, and so on.