Junos
Reply
Highlighted
Visitor
Posts: 9
Registered: ‎01-20-2011
0

Configure VPN got a issue on st0.0

I am new to do the VPN in srx, and face some issue here.

When "commit check" i got a information shown me that

 

root# commit check                              
[edit security zones security-zone trust]
  'interfaces st0.0'
    Interface st0.0 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed

 

---------------------------

I saw some configure sample that st0.0 is assign to interface and routing instant, this zone also have multiple interfaces, anyone can help me solve it? thank you very much Smiley Happy

-----------------------------

Below is my incompleted configure

 

version 10.4R4.5;
system {
    root-authentication {
        encrypted-password "$1$mK6bJOCB$viQ5Jp86fFyEuvGQykXWg."; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.10.11.1/24;
            }
        }
    }
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.20.1.1;
                destination 172.20.1.2;
            }
            family inet {
                address 192.168.1.1/24;
            }                          
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.20.1.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.10.10.0/24 next-hop gr-0/0/0.0;
        route 172.20.1.2/32 next-hop st0.0;
    }
}
security {
    zones {
        security-zone trust {
            address-book {
                address green-internal 192.168.1.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                gr-0/0/0.0;
                lo0.0;
                st0.0;
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address green-external 10.10.11.0/24;
                address blue-internal 192.168.2.0/24;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                        }
                    }                  
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy t2u {
                match {
                    source-address green-internal;
                    destination-address blue-internal;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy u2t {
                match {
                    source-address blue-internal;
                    destination-address green-internal;
                    application any;   
                }
                then {
                    permit;
                }
            }
        }
    }
}
routing-instances {
    vpn {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        interface st0.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.10.11.2;
                route 192.168.2.0/24 next-hop st0.0;
            }
        }
    }
}

 

Regards,

Tony

cy
Contributor
Posts: 76
Registered: ‎09-28-2010
0

Re: Configure VPN got a issue on st0.0

 

st0 is not in the same routing instance as gr-0/0/0, ge-0/0/1 and lo0. (which are all in zone trust.)

 

 

why do you need the routing-instance anyway? i have no clueSmiley Wink 

 

 

 

 

 

 

--

You can also find me on Freenode IRC in #juniper, my handle is "cy[]"
Visitor
Posts: 1
Registered: ‎02-09-2011
0

Re: Configure VPN got a issue on st0.0

Hi Tony,

 

st0.0 interface belongs to trust zone and interface ge-0/0/0.0 belongs to untrust zone. You cannot assign interfaces that are in different zones to a same routing instance. Binding the st0.0 interface to untrust zone  would solve the problem or you can also make use of "Interface all" statement under a zone, instead of binding each interface to a zone.

 

Regards,

GVRK

Contributor
Posts: 116
Registered: ‎12-14-2009
0

Re: Configure VPN got a issue on st0.0

Another issue you will face, unless it's been corrected and I've missed it in release notes, is that you can't build vpns in non-default routing instances.

 

Just a heads up, but if it's changed, please let me know.

________________________________________________


If my post helped you, please feel free to give me kudos.
Visitor
Posts: 6
Registered: ‎09-21-2011
0

Re: Configure VPN got a issue on st0.0

Copyright© 1999-2015 Juniper Networks, Inc. All rights reserved.