SRX

Hello,

The setup is following:

1. My router has a serial connection with partner's router.
My IP is: 1.1.1.2/30

Partner's IP is: 1.1.1.1/30

2. Between these two addresses there is a IPSec VPN set up. All traffic between my site and partner's site is to be encrypted. The IPSec gateway addresses are 1.1.1.2 (my router) and 1.1.1.1 (parter's router).

3. There should be a BGP session established between my router and partner's router. The BGP traffic is to be encrypted as well, and  the BGP peer addresses, again, should be 1.1.1.2 and 1.1.1.1.

Problem:

How to encrypt BGP traffic?

What I tried:

1. Policy Based VPN - won't work. Self originated traffic is not analyzed by Security Policies, so there is no way to encrypt BGP traffic.

2. Route Based VPN - won't work. The router to 1.1.1.1/32 is reacheble through connected network 1.1.1.0/30 over the serial interface. So by default the BGP traffic will be forwarded to 1.1.1.1 unencrypted.

If I create a static route to 1.1.1.1/32 over the st0.0 interface, the BGP traffic will be encrypted. However, the ESP traffic is also being routed through the st0.0 interface, which obviously makes the communication through the tunnel fail.

3. Route Based VPN with Filter Based Forwarding - won't work. It seems that self originated traffic cannot be routed with Filter Based Forwarding. Anyone can confirm this?

4. Route Based VPN with Virtual-Router Routing Instance - I think it should work, but it didn't. I couldn't seem to force the BGP traffic into the IPSec tunnel even though appropriate static route's were created.

Anyone managed to setup a BGP session peering on an st0.x tunnel interface? 

The problem is resolvable on Junos 9.3 (packet based), but I need to use the flow-based version.

I cannot change the communication rules (the IPSec gateway addresses need to be the same as the BGP peering addresses).

Anyone got an idea how to work around this problem?

Thanks for any suggestions,
Cad 

Hi Cad,

let me try to go over your options, based on your question:

1. Policy Based VPN - won't work. Self originated traffic is not analyzed by Security Policies, so there is no way to encrypt BGP traffic.

PG>> This should work in the 11.4 code onwards (I didn't tested it, though). Host outbound (and inbound) traffic will be passed though the policy lookup engine (using source zone junos-host for host outbound traffic or destionation zone junos host for host-inbound traffic) 

2. Route Based VPN - won't work. The router to 1.1.1.1/32 is reacheble through connected network 1.1.1.0/30 over the serial interface. So by default the BGP traffic will be forwarded to 1.1.1.1 unencrypted.

If I create a static route to 1.1.1.1/32 over the st0.0 interface, the BGP traffic will be encrypted. However, the ESP traffic is also being routed through the st0.0 interface, which obviously makes the communication through the tunnel fail.

PG>> Right, you'll end up looping the traffic that way. There is the concept of a flow-route in Junos, which does a longer match (and normally used for BGP FLOWSPEC propagation), but we don't officially support it on SRXs and some of the host bound traffic is not processed by the inetflow table anyway. 

3. Route Based VPN with Filter Based Forwarding - won't work. It seems that self originated traffic cannot be routed with Filter Based Forwarding. Anyone can confirm this?

PG>> We process self-originated traffic through filters applied to the lo0 interface, but if you try to do this on the egress interface it will be too late to re-inject the packet (by that time routing already happened). 

Basically both options 2 and 3 could be used but because of the place in which the forwarding lookup happens on the evaluation chain, you need a way to reinject the traffic so it can be treated as through traffic (instead of host-outbound). This would allow for ingress processing of such traffic. Unfortunately the configuration would get quite cumbersome as you'll end up having to chain VRs (and connect them using an lt interface).

4. Route Based VPN with Virtual-Router Routing Instance - I think it should work, but it didn't. I couldn't seem to force the BGP traffic into the IPSec tunnel even though appropriate static route's were created.

Anyone managed to setup a BGP session peering on an st0.x tunnel interface? 

PG>> This works, I just did a quick test (in my setup the IPs were 172.19.101.142 and 172.19.101.143 over an ethernet, but it is the same idea):

set interfaces ge-0/0/0 unit 0 family inet address 172.19.101.142/24

set interfaces st0 unit 1 family inet address 172.19.101.142/32

set security zones security-zone vpn host-inbound-traffic system-services all

set security zones security-zone vpn host-inbound-traffic protocols all

set security zones security-zone vpn interfaces st0.1

set security zones security-zone untrust host-inbound-traffic system-services all #You should adjust these based on your requirements

set security zones security-zone untrust host-inbound-traffic protocols all

set security zones security-zone untrust interfaces ge-0/0/0.0

set routing-instances bgp-out instance-type virtual-router

set routing-instances bgp-out interface st0.1

set routing-instances bgp-out routing-options static route 0.0.0.0/0 next-hop st0.1

set routing-instances bgp-out protocols bgp local-address 172.19.101.142

set routing-instances bgp-out protocols bgp local-as 65100

set routing-instances bgp-out protocols bgp group test type internal

set routing-instances bgp-out protocols bgp group test neighbor 172.19.101.143 peer-as 65100

set security policies default-policy permit-all #Again, this will depend on your scenario. In this config I'm allowing all for simplicityset

set security ike policy std mode main

set security ike policy std proposal-set standard

set security ike policy std pre-shared-key ascii-text "$9$s3gaGk.569pDi9p0BSys24"

set security ike gateway SRX650-2 ike-policy std

set security ike gateway SRX650-2 address 172.19.101.143

set security ike gateway SRX650-2 external-interface ge-0/0/0.0

set security ipsec policy std proposal-set standard

set security ipsec vpn SRX650-2 bind-interface st0.1

set security ipsec vpn SRX650-2 ike gateway SRX650-2

set security ipsec vpn SRX650-2 ike ipsec-policy std

set security ipsec vpn SRX650-2 establish-tunnels immediately

Hello Pato,

I didn't browse Juniper forums in a long time and only now have seen your response.

While we managed to solve the problem on our own I would like to thank you for your through answer.
You especially surprised me with your comment to point 1.
Ill check if it does indeed work the first chance I get - very exited 🙂

Kind regards,

Cad