SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Automatically generated static route for route-based site-to-site IPsec VPN

    Posted 04-13-2016 14:04

    Hi, I have a route based IPsec VPN to a customer, assume the traffic-selector is 1.2.3.4/32 to 5.6.7.8/32, the vpn is bound to st0.1, when the vpn comes up, a static route to 5.6.7.8/32 is automatically populated in the  routing table. This is all good in most cases, but I have a scenario that the customer wants redundant vpn gateway on their side, essentially same traffic selector but different ike gateways, say this backup vpn is bound to st0.2, we now will have two static routes geneated with next-hop being different, I don't want Junos to loadbalance because st0.2 is backup only, how can I get around this?



  • 2.  RE: Automatically generated static route for route-based site-to-site IPsec VPN

     
    Posted 04-13-2016 19:29

    Hello ,

     

    For this make st0.2 as qualified-next hop , so that once st0.1 goes down only st0.2 will take effect .

     

    set routing-options static route x.x.x.x qualified-next-hop st0.2

     

     



  • 3.  RE: Automatically generated static route for route-based site-to-site IPsec VPN

    Posted 04-14-2016 13:26

    Thanks, how is that going to solve my problem? ... Junos will generate the second static route automatically with the same metric as the first one.



  • 4.  RE: Automatically generated static route for route-based site-to-site IPsec VPN

     
    Posted 04-14-2016 19:49

    Where st0.1 is 10.0.0.1/30 and st0.2 is 10.0.0.5/30

     

    set routing-options static route a.b.c.d/24 next-hop 10.0.0.2 preference 5
set routing-options static route a.b.c.d/24 qualified-next-hop 10.0.0.6 preference 10


  • 5.  RE: Automatically generated static route for route-based site-to-site IPsec VPN
    Best Answer

     
    Posted 04-14-2016 20:18

    Hello ,

     

    I have checked in the LAB and found that , both VPN tunnels will come UP , but traffic will be passed to first tunnel that came UP .

     

    Before failover :

    root# run show route 5.5.5.5

    inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    5.5.5.5/32 *[Static/5] 00:06:58
    > via st0.0     <<<<<<<<<<<<<<<
    [Static/5] 00:05:18
    > via st0.1

     

     

    Once we have the first  tunnel fail ( ir the gateway fails ) then only the second tunnel takes over :

     

    On Failover :


    root# run show route 5.5.5.5

    inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    5.5.5.5/32 *[Static/5] 00:01:12
    > via st0.1

     

     

    But what I have observed is that once the Primary tunnel comes UP , still the secondary tunnel will continue to work :

     

    Once the Primary is back UP :

    root# run show route 5.5.5.5

    inet.0: 6 destinations, 7 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    5.5.5.5/32 *[Static/5] 00:01:45
    > via st0.1   <<<<<<<<<<<<<<
    [Static/5] 00:00:10
    > via st0.0

     

     

    So to achive this goal , we may need to have an IP monitoring for gatetway route failover . Without this also the setup work , but once the primary is back UP , it will not fallback to Primary tunnel untilll the route failover is configured .