Hi Cad,
let me try to go over your options, based on your question:
1. Policy Based VPN - won't work. Self originated traffic is not analyzed by Security Policies, so there is no way to encrypt BGP traffic.
PG>> This should work in the 11.4 code onwards (I didn't tested it, though). Host outbound (and inbound) traffic will be passed though the policy lookup engine (using source zone junos-host for host outbound traffic or destionation zone junos host for host-inbound traffic)
2. Route Based VPN - won't work. The router to 1.1.1.1/32 is reacheble through connected network 1.1.1.0/30 over the serial interface. So by default the BGP traffic will be forwarded to 1.1.1.1 unencrypted.
If I create a static route to 1.1.1.1/32 over the st0.0 interface, the BGP traffic will be encrypted. However, the ESP traffic is also being routed through the st0.0 interface, which obviously makes the communication through the tunnel fail.
PG>> Right, you'll end up looping the traffic that way. There is the concept of a flow-route in Junos, which does a longer match (and normally used for BGP FLOWSPEC propagation), but we don't officially support it on SRXs and some of the host bound traffic is not processed by the inetflow table anyway.
3. Route Based VPN with Filter Based Forwarding - won't work. It seems that self originated traffic cannot be routed with Filter Based Forwarding. Anyone can confirm this?
PG>> We process self-originated traffic through filters applied to the lo0 interface, but if you try to do this on the egress interface it will be too late to re-inject the packet (by that time routing already happened).
Basically both options 2 and 3 could be used but because of the place in which the forwarding lookup happens on the evaluation chain, you need a way to reinject the traffic so it can be treated as through traffic (instead of host-outbound). This would allow for ingress processing of such traffic. Unfortunately the configuration would get quite cumbersome as you'll end up having to chain VRs (and connect them using an lt interface).
4. Route Based VPN with Virtual-Router Routing Instance - I think it should work, but it didn't. I couldn't seem to force the BGP traffic into the IPSec tunnel even though appropriate static route's were created.
Anyone managed to setup a BGP session peering on an st0.x tunnel interface?
PG>> This works, I just did a quick test (in my setup the IPs were 172.19.101.142 and 172.19.101.143 over an ethernet, but it is the same idea):
set interfaces ge-0/0/0 unit 0 family inet address 172.19.101.142/24
set interfaces st0 unit 1 family inet address 172.19.101.142/32
set security zones security-zone vpn host-inbound-traffic system-services all
set security zones security-zone vpn host-inbound-traffic protocols all
set security zones security-zone vpn interfaces st0.1
set security zones security-zone untrust host-inbound-traffic system-services all #You should adjust these based on your requirements
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
set routing-instances bgp-out instance-type virtual-router
set routing-instances bgp-out interface st0.1
set routing-instances bgp-out routing-options static route 0.0.0.0/0 next-hop st0.1
set routing-instances bgp-out protocols bgp local-address 172.19.101.142
set routing-instances bgp-out protocols bgp local-as 65100
set routing-instances bgp-out protocols bgp group test type internal
set routing-instances bgp-out protocols bgp group test neighbor 172.19.101.143 peer-as 65100
set security policies default-policy permit-all #Again, this will depend on your scenario. In this config I'm allowing all for simplicityset
set security ike policy std mode main
set security ike policy std proposal-set standard
set security ike policy std pre-shared-key ascii-text "$9$s3gaGk.569pDi9p0BSys24"
set security ike gateway SRX650-2 ike-policy std
set security ike gateway SRX650-2 address 172.19.101.143
set security ike gateway SRX650-2 external-interface ge-0/0/0.0
set security ipsec policy std proposal-set standard
set security ipsec vpn SRX650-2 bind-interface st0.1
set security ipsec vpn SRX650-2 ike gateway SRX650-2
set security ipsec vpn SRX650-2 ike ipsec-policy std
set security ipsec vpn SRX650-2 establish-tunnels immediately