Junos and Junosphere
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
atom2ueki
Visitor
atom2ueki
Posts: 9
Registered: ‎01-20-2011
0

Configure VPN got a issue on st0.0

Options

‎11-03-2011 02:06 AM

I am new to do the VPN in srx, and face some issue here.

When "commit check" i got a information shown me that

 

root# commit check                              
[edit security zones security-zone trust]
  'interfaces st0.0'
    Interface st0.0 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed

 

---------------------------

I saw some configure sample that st0.0 is assign to interface and routing instant, this zone also have multiple interfaces, anyone can help me solve it? thank you very much :smileyhappy:

-----------------------------

Below is my incompleted configure

 

version 10.4R4.5;
system {
    root-authentication {
        encrypted-password "$1$mK6bJOCB$viQ5Jp86fFyEuvGQykXWg."; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.11.1/24;
            }
        }
    }
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.20.1.1;
                destination 172.20.1.2;
            }
            family inet {
                address 192.168.1.1/24;
            }                          
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.20.1.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.10.10.0/24 next-hop gr-0/0/0.0;
        route 172.20.1.2/32 next-hop st0.0;
    }
}
security {
    zones {
        security-zone trust {
            address-book {
                address green-internal 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                gr-0/0/0.0;
                lo0.0;
                st0.0;
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address green-external 10.10.11.0/24;
                address blue-internal 192.168.2.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                        }
                    }                  
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy t2u {
                match {
                    source-address green-internal;
                    destination-address blue-internal;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy u2t {
                match {
                    source-address blue-internal;
                    destination-address green-internal;
                    application any;   
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    vpn {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        interface st0.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.10.11.2;
                route 192.168.2.0/24 next-hop st0.0;
            }
        }
    }
}

 

Regards,

Tony

Message 1 of 5 (561 Views)
 
Reply
cy
Contributor
cy
Posts: 73
Registered: ‎09-28-2010
0

Re: Configure VPN got a issue on st0.0

Options

‎11-03-2011 02:53 AM

 

st0 is not in the same routing instance as gr-0/0/0, ge-0/0/1 and lo0. (which are all in zone trust.)

 

 

why do you need the routing-instance anyway? i have no clue:smileywink: 

 

 

 

 

 

 

--

You can also find me on Freenode IRC in #juniper, my handle is "cy[]"
Message 2 of 5 (560 Views)
 
Reply
Ravi Kiran Gadday V…
Visitor
Ravi Kiran Gadday Venkatagiri
Posts: 1
Registered: ‎02-09-2011
0

Re: Configure VPN got a issue on st0.0

Options

‎11-03-2011 08:59 AM

Hi Tony,

 

st0.0 interface belongs to trust zone and interface ge-0/0/0.0 belongs to untrust zone. You cannot assign interfaces that are in different zones to a same routing instance. Binding the st0.0 interface to untrust zone  would solve the problem or you can also make use of "Interface all" statement under a zone, instead of binding each interface to a zone.

 

Regards,

GVRK

Message 3 of 5 (551 Views)
 
Reply
TravisJohnson
Contributor
TravisJohnson
Posts: 116
Registered: ‎12-14-2009
0

Re: Configure VPN got a issue on st0.0

Options

‎12-22-2011 12:30 PM

Another issue you will face, unless it's been corrected and I've missed it in release notes, is that you can't build vpns in non-default routing instances.

 

Just a heads up, but if it's changed, please let me know.

________________________________________________


If my post helped you, please feel free to give me kudos.
Message 4 of 5 (467 Views)
 
Reply
wtucker80
Visitor
wtucker80
Posts: 6
Registered: ‎09-21-2011
0

Re: Configure VPN got a issue on st0.0

Options

‎12-29-2011 04:02 PM

You can use IKE in VRs as of 11.1.

http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/release-notes...

:w
Message 5 of 5 (442 Views)
 
Posted from Motorola Xoom
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.