Routing

I am trying to terminate a IPSEC tunnel in which the IKE gateway is in a virtual router, however the remote IKE gateway is only reachable through the master routing table (IE my premise default route to the internet).

I can not terminate this IKE Gateway in the master routing table, it is not an option.  I have no access to any upstream devices for other options.

I am currently testing between a SRX550 - MX480, the MX-480 has the IKE Gateway in a virtual router.  The SRX is the customer (IKE gateway on master routing table).

I am using loopbacks as the IKE gateways.

I have successfully route leaked using rib-groups and can ping between the gateways from the VR but the IKE/IPSEC is down.

Of course it works perfectly if I move the external interface into the virtual-router.

I can also verify inbond/outbound IKE/500 packets on both external interfaces of the SRX and MX-480.

Is there a limitation on this type of communication or am I missing something on the IPSEC configuration.

Just receiving IKEv1 Error: TIMEOUT

Any help would be greatly appreciated. 

Hi,

Can you paste your config so we can have a look and try to help you 🙂

So I tested this configuratoin between two SRX's and it worked.  

I just upgraded to the latest version on both the SRX's and MX-480. Still not working. 

I have tried VR to VR as well same results. 

so here are my configs.

SRX (inet.0) ge-6/0/14 -----------cable ------------- ge-1/2/3 MX-480 (inet.0) ----- VR-ROUTE-LEAK-TEST

IKE GATEWAY lo0.0                                                                                          IKE GATEWAY lo0.3    

MX-480 - INET.0 (10.10.20.2/30) - connected to the "cloud" distant end SRX (10.10.20.1/30). 

MX-480 - INET.0
set interfaces ge-1/2/3 unit 0 family inet address 10.10.20.2/30

Route leak to VR (ROUTE-LEAK-TEST)
set routing-options static rib-group inet.0_to_RLT.inet.0;
set routing-options static route 10.10.20.3/32 next-hop 10.10.20.1
set routing-options static route 10.10.20.10/30 next-table ROUTE-LEAK-TEST.inet.0

Routes received from VR (IKE GATEWAY is lo0.3 10.10.20.9)
show route table inet.0

10.10.20.8/30      *[Static/5] 00:00:33
                      to table ROUTE-LEAK-TEST.inet.0

****************************************************************************

MX-480 - ROUTE-LEAK-TEST.inet.0 (VR configuration, including VPN)

set interfaces ms-2/0/0 unit 15 family inet
set interfaces ms-2/0/0 unit 15 service-domain inside
set interfaces ms-2/0/0 unit 16 family inet
set interfaces ms-2/0/0 unit 16 service-domain outside

set interfaces lo0 unit 3 family inet address 10.10.20.5/32  (IKE GATEWAY)
set interfaces lo0 unit 3 family inet address 10.10.20.6/32  (BGP, once the tunnel comes up)

****************************************************************************
set services service-set ROUTE-LEAK-TEST next-hop-service inside-service-interface ms-2/0/0.15
set services service-set ROUTE-LEAK-TEST next-hop-service outside-service-interface ms-2/0/0.16
set services service-set ROUTE-LEAK-TEST ipsec-vpn-options local-gateway 10.10.20.9
set services service-set ROUTE-LEAK-TEST ipsec-vpn-options local-gateway routing-instance ROUTE-LEAK-TEST
set services service-set ROUTE-LEAK-TEST ipsec-vpn-rules ROUTE-LEAK-TEST

set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 from source-address 0.0.0.0/0
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 from destination-address 0.0.0.0/0
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then remote-gateway 10.10.20.3
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then dynamic ike-policy ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then dynamic ipsec-policy ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST match-direction input

set services ipsec-vpn ipsec policy ROUTE-LEAK-TEST perfect-forward-secrecy keys group14
set services ipsec-vpn ipsec policy ROUTE-LEAK-TEST proposals SHA256-AES256

set services ipsec-vpn ike policy ROUTE-LEAK-TEST mode main
set services ipsec-vpn ike policy ROUTE-LEAK-TEST version 1
set services ipsec-vpn ike policy ROUTE-LEAK-TEST proposals PSK-AES256-SHA256-DH14
set services ipsec-vpn ike policy ROUTE-LEAK-TEST pre-shared-key ascii-text

set routing-options rib-groups inet.0_to_RLT.inet.0 import-rib ROUTE-LEAK-TEST.inet.0
set routing-options rib-groups RLT.inet.0_to_inet.0 import-rib ROUTE-LEAK-TEST.inet.0

set routing-instances ROUTE-LEAK-TEST instance-type virtual-router
set routing-instances ROUTE-LEAK-TEST interface xe-1/0/0.660
set routing-instances ROUTE-LEAK-TEST interface ms-2/0/0.15
set routing-instances ROUTE-LEAK-TEST interface ms-2/0/0.16
set routing-instances ROUTE-LEAK-TEST interface lo0.3
set routing-instances ROUTE-LEAK-TEST routing-options interface-routes rib-group inet RLT.inet.0_to_inet.0
set routing-instances ROUTE-LEAK-TEST routing-options static rib-group RLT.inet.0_to_inet.0
set routing-instances ROUTE-LEAK-TEST routing-options static route 10.10.20.4/32 next-hop ms-2/0/0.15

show route table ROUTE-LEAK-TEST.inet.0

ROUTE-LEAK-TEST.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.20.3/32      *[Static/5] 00:15:50
                    > to 10.10.20.1 via ge-1/2/3.0  (ROUTE FROM INET.0)

ping routing-instance ROUTE-LEAK-TEST 10.10.20.3 source 10.10.20.9
PING 10.10.20.3 (10.10.20.3): 56 data bytes
64 bytes from 10.10.20.3: icmp_seq=0 ttl=64 time=0.867 ms
64 bytes from 10.10.20.3: icmp_seq=1 ttl=64 time=2.421 ms
64 bytes from 10.10.20.3: icmp_seq=2 ttl=64 time=0.865 ms

****************************************************************************
SRX

set interfaces ge-6/0/14 unit 0 family inet address 10.10.20.2/30

set security ike policy ROUTE-LEAK-TEST mode main
set security ike policy ROUTE-LEAK-TEST proposals PSK-AES256-SHA256-DH14
set security ike policy ROUTE-LEAK-TEST pre-shared-key ascii-text

set security ike gateway ROUTE-LEAK-TEST ike-policy ROUTE-LEAK-TEST
set security ike gateway ROUTE-LEAK-TEST address 10.10.20.3
set security ike gateway ROUTE-LEAK-TEST dead-peer-detection interval 10
set security ike gateway ROUTE-LEAK-TEST dead-peer-detection threshold 2
set security ike gateway ROUTE-LEAK-TEST external-interface lo0.6
set security ike gateway ROUTE-LEAK-TEST local-address 10.10.20.9

set security ipsec policy ROUTE-LEAK-TEST perfect-forward-secrecy keys group14
set security ipsec policy ROUTE-LEAK-TEST proposals SHA256-AES256

set security ipsec vpn ROUTE-LEAK-TEST bind-interface st0.5
set security ipsec vpn ROUTE-LEAK-TEST ike gateway ROUTE-LEAK-TEST
set security ipsec vpn ROUTE-LEAK-TEST ike ipsec-policy ROUTE-LEAK-TEST

set routing-options static route 10.10.20.8/30 next-hop 10.10.20.2

ping 10.10.20.9 source 10.10.20.3
PING 10.10.20.9 (10.10.20.9): 56 data bytes
64 bytes from 10.10.20.9: icmp_seq=0 ttl=64 time=1.010 ms
64 bytes from 10.10.20.9: icmp_seq=1 ttl=64 time=1.428 ms
64 bytes from 10.10.20.9: icmp_seq=2 ttl=64 time=0.921 ms
^C
--- 10.10.20.9 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.921/1.120/1.428/0.221 ms

Maybe this is a copy-paste error, but your SRX and MX480 both have the same IP configured for their direct link to each other:

MX480:

set interfaces ge-1/2/3 unit 0 family inet address 10.10.20.2/30

SRX:

set interfaces ge-6/0/14 unit 0 family inet address 10.10.20.2/30

In addition, you have set an IKE gateway to the broadcast address of the above network (10.10.20.3).  Is this information all correct?

Sorry, there were a few errors. 

SRX

10.10.20.1/30 (ge-6/0/14.0)

10.10.20.3/32 (IKE GATEWAY - loopback)

MX-480

10.10.20.2/30 (ge-1/2/3.0) inet.0

10.10.20.9/32 (IKE GATEWAY - loopback) VR

***********************************************************

SRX (inet.0) ge-6/0/14 -----------cable -------------ge-1/2/3 MX-480 (inet.0) ----- VR-ROUTE-LEAK-TEST
IKE GATEWAY lo0.0 (10.10.20.3)                                ​                                     IKE GATEWAY lo0.3 (10.10.20.9)   
 
MX-480 - INET.0 (10.10.20.2/30) - connected to the "cloud" distant end SRX (10.10.20.1/30).
 
MX-480 - INET.0
set interfaces ge-1/2/3 unit 0 family inet address 10.10.20.2/30
 
Route leak to VR (ROUTE-LEAK-TEST)
set routing-options static rib-group inet.0_to_RLT.inet.0;
set routing-options static route 10.10.20.3/32 next-hop 10.10.20.1
set routing-options static route 10.10.20.10/30 next-table ROUTE-LEAK-TEST.inet.0
 
Routes received from VR (IKE GATEWAY is lo0.3 10.10.20.9)
show route table inet.0
 
10.10.20.8/30      *[Static/5] 00:00:33
                      to table ROUTE-LEAK-TEST.inet.0
 
**************************************************​**************************
 

MX-480 - ROUTE-LEAK-TEST.inet.0 (VR configuration, including VPN)
 
set interfaces ms-2/0/0 unit 15 family inet
set interfaces ms-2/0/0 unit 15 service-domain inside
set interfaces ms-2/0/0 unit 16 family inet
set interfaces ms-2/0/0 unit 16 service-domain outside
 
set interfaces lo0 unit 3 family inet address 10.10.20.9/32  (IKE GATEWAY)
set interfaces lo0 unit 3 family inet address 10.10.20.6/32  (BGP, once the tunnel comes up)
 
**************************************************​**************************
set services service-set ROUTE-LEAK-TEST next-hop-service inside-service-interface ms-2/0/0.15
set services service-set ROUTE-LEAK-TEST next-hop-service outside-service-interface ms-2/0/0.16
set services service-set ROUTE-LEAK-TEST ipsec-vpn-options local-gateway 10.10.20.9
set services service-set ROUTE-LEAK-TEST ipsec-vpn-options local-gateway routing-instance ROUTE-LEAK-TEST
set services service-set ROUTE-LEAK-TEST ipsec-vpn-rules ROUTE-LEAK-TEST
 
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 from source-address 0.0.0.0/0
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 from destination-address 0.0.0.0/0
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then remote-gateway 10.10.20.3
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then dynamic ike-policy ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST term 10 then dynamic ipsec-policy ROUTE-LEAK-TEST
set services ipsec-vpn rule ROUTE-LEAK-TEST match-direction input
 
set services ipsec-vpn ipsec policy ROUTE-LEAK-TEST perfect-forward-secrecy keys group14
set services ipsec-vpn ipsec policy ROUTE-LEAK-TEST proposals SHA256-AES256
 
set services ipsec-vpn ike policy ROUTE-LEAK-TEST mode main
set services ipsec-vpn ike policy ROUTE-LEAK-TEST version 1
set services ipsec-vpn ike policy ROUTE-LEAK-TEST proposals PSK-AES256-SHA256-DH14
set services ipsec-vpn ike policy ROUTE-LEAK-TEST pre-shared-key ascii-text
 
set routing-options rib-groups inet.0_to_RLT.inet.0 import-rib ROUTE-LEAK-TEST.inet.0
set routing-options rib-groups RLT.inet.0_to_inet.0 import-rib ROUTE-LEAK-TEST.inet.0
 
set routing-instances ROUTE-LEAK-TEST instance-type virtual-router
set routing-instances ROUTE-LEAK-TEST interface xe-1/0/0.660
set routing-instances ROUTE-LEAK-TEST interface ms-2/0/0.15
set routing-instances ROUTE-LEAK-TEST interface ms-2/0/0.16
set routing-instances ROUTE-LEAK-TEST interface lo0.3
set routing-instances ROUTE-LEAK-TEST routing-options interface-routes rib-group inet RLT.inet.0_to_inet.0
set routing-instances ROUTE-LEAK-TEST routing-options static rib-group RLT.inet.0_to_inet.0
set routing-instances ROUTE-LEAK-TEST routing-options static route 10.10.20.4/32 next-hop ms-2/0/0.15
 

show route table ROUTE-LEAK-TEST.inet.0
 
ROUTE-LEAK-TEST.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
10.10.20.3/32      *[Static/5] 00:15:50
                    > to 10.10.20.1 via ge-1/2/3.0  (ROUTE FROM INET.0)
 

ping routing-instance ROUTE-LEAK-TEST 10.10.20.3 source 10.10.20.9
PING 10.10.20.3 (10.10.20.3): 56 data bytes
64 bytes from 10.10.20.3: icmp_seq=0 ttl=64 time=0.867 ms
64 bytes from 10.10.20.3: icmp_seq=1 ttl=64 time=2.421 ms
64 bytes from 10.10.20.3: icmp_seq=2 ttl=64 time=0.865 ms
 
**************************************************​**************************
SRX
 
set interfaces ge-6/0/14 unit 0 family inet address 10.10.20.1/30
set interfaces lo0 unit 0 family inet address 10.10.20.3/32
 
set security ike policy ROUTE-LEAK-TEST mode main
set security ike policy ROUTE-LEAK-TEST proposals PSK-AES256-SHA256-DH14
set security ike policy ROUTE-LEAK-TEST pre-shared-key ascii-text
 
set security ike gateway ROUTE-LEAK-TEST ike-policy ROUTE-LEAK-TEST
set security ike gateway ROUTE-LEAK-TEST address 10.10.20.3
set security ike gateway ROUTE-LEAK-TEST dead-peer-detection interval 10
set security ike gateway ROUTE-LEAK-TEST dead-peer-detection threshold 2
set security ike gateway ROUTE-LEAK-TEST external-interface lo0.0
set security ike gateway ROUTE-LEAK-TEST local-address 10.10.20.9
 
set security ipsec policy ROUTE-LEAK-TEST perfect-forward-secrecy keys group14
set security ipsec policy ROUTE-LEAK-TEST proposals SHA256-AES256
 
set security ipsec vpn ROUTE-LEAK-TEST bind-interface st0.5
set security ipsec vpn ROUTE-LEAK-TEST ike gateway ROUTE-LEAK-TEST
set security ipsec vpn ROUTE-LEAK-TEST ike ipsec-policy ROUTE-LEAK-TEST
 
set routing-options static route 10.10.20.8/30 next-hop 10.10.20.2
 
 
 
ping 10.10.20.9 source 10.10.20.3
PING 10.10.20.9 (10.10.20.9): 56 data bytes
64 bytes from 10.10.20.9: icmp_seq=0 ttl=64 time=1.010 ms
64 bytes from 10.10.20.9: icmp_seq=1 ttl=64 time=1.428 ms
64 bytes from 10.10.20.9: icmp_seq=2 ttl=64 time=0.921 ms
^C
--- 10.10.20.9 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.921/1.120/1.428/0.221 ms

I still do not understand how your SRX can have a loopback IP of 10.10.20.3/32 when that IP address is the broadcast address of your direct link between the two devices.

That will not work if you use a broadcast address as loopback address.

Junos used to complain in the CLI when trying to commit a configuration with overlapping subnets, but it does not do that anymore.  Not sure why they changed that behavior.

OP, I would recommend first modifying your loopback on the SRX to an IP address that is not in a subnet that is currently in use on your internal network and then seeing what happens.

I was really hoping that was it, a minor oversite, but I changed the loopback on the SRX to 10.10.30.1/32 and its still not working.

The same previous configuration actually worked SRX to SRX yesterday, with the loopback 10.10.20.3/32, technically it shouldn't have but it did.

Opening a case with juniper as well.

Do you have a route for your new loopback address on your other router ?

My apologies for the confusing loopback situation.  The loopbacks have been updated, the routing between them are fine.  I can ping from the MX-480 routing instance local IKE Gateway to the remote IKE gateway on the SRX.  The issue is the SRX is attempting to establish a tunnel but the MX-480 drops the IKE packet.  Conversely when the MX-480 attempts to initialize a session I get an time error and Unexpected IKE on route table id 0. 

I did configure a work around, which was to terminate the IKE tunnel in the inet.0 route table, then route leak the BGP Peers between inet.0 and the VR.  This worked and the BGP came up.  Then I had to put a filter on the ms-2/0/0 inside interface to force default Internet traffic to the routing instance.  However this includes policies, route leaking loopbacks and BGP etc.  This is great for a one-off but I have many more sites to consider.

So terminating the IKE in the routing-instance is preferred.

I will post a config of the work around.

Okay so I attached what I sent to Juniper, with a visio diagram.

1.  Goal is to terminateVPN iin a virtual router in which the IKE Gateway goes is accessbile through inet.0 (SRX to MX-480).  Using rib-groups.  The MX-480 is the hub and the SRX is the remote site.  This was unsuccessful.  (IPSEC-RL-SRX-to-MX480.txt)

2. I was able to accomplish this goal (SRX toSRX).   (IPSEC-RL-SRX-to-SRX.txt)

3.  I was able to establish a work around solution by terminating the VPN on inet.0 and Route leak the BGP peer to the virtual router, then apply a filter on the IPSEC secure tunnel inside interface ms-2/0/0.x to force traffic to the virtual router.  I attached two text files with separate configuration for SRX and MX-480. (BGP-RL-mx480-config.txt) (BGP-RL-SRX-config.txt)

I sent this to Juniper awaiting a response.  Any suggestions?

Attachment(s)

IPSEC-RL-SRX-to-MX480.txt   35 KB 1 version

BGP-RL-mx480-config.txt   33 KB 1 version

BGP-RL-SRX-config.txt   17 KB 1 version

IPSEC-RL-SRX-to-SRX.txt   19 KB 1 version

Rather than ignore your request, I will just be honest and say that I do not have any other suggestions for you.  You have a unique setup and unfortunately, I don't have any MS MICs or MPCs in any of my MX gear to test out your config.  Therefore, I will defer to those who may have dealt with this particular type of configuration before.  If JTAC gets back to you and identifies the problem or provides a resolution before someone here does, please post it for the community.

Still waiting, problem has been moved up to "higher resources"  So we wait, in the meantime I am implementing the work around on a live customer soo.  As soon as I get an answer I will post the results.

Issue has been resolved by Juniper.  To configure an IPSEC VPN directly to a VR and routing through inet.0 to the remote gateway.

1.  Configure an IP address on the outside-service-interface (ms-2/0/0.x)

     - Make that IP the IPSEC local Gateway.

     - set services service-set <name of service-set> ipsec-vpn-options local-gateway <IP-address of ms-2/0/0.x>

2.  Deactivate the outside-service-interface (ms-2/0/0.x) on the external VR so that it is a part of the main routing-instance (inet.0)

3.  Configure remote device, in this case the SRX to point to the MX-480 set outside-service-interface (MS-2/0/0.x) ip address as the remote gateway.

4.  Add necessary routes in inet.0 (to remote gateway) and VR (traffic through inside-service-interface).

I tested this successfully in the lab.