SRX Services Gateway
Reply
Contributor
asmash
Posts: 62
Registered: ‎10-09-2009
0

GRE over IPSec using single End Point IP

Hi,

 

Trying to estabilish GRE over IPSec between an ISG and SRX.

ISG has a single end point IP for both GRE & IPSec tunnel whereas it doesn't seem easy in SRX side to estabilish GRE tunnel over the same end point IP as IPSec uses.

 

Please suggest a configuration that supports single End Point IP for both IPSec & GRE tunnel from SRX.

 

 

BR,

asmash

Distinguished Expert
Distinguished Expert
pk
Posts: 793
Registered: ‎10-09-2008
0

Re: GRE over IPSec using single End Point IP

Hi

 

KB states the following : "GRE end point and ipsec end point cannot be same to make sure that GRE packets goes over the IPsec"

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372&actp=search&viewlocale=en_US&searchid...

 

Sorry but this seems to be not possible on SRX.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
asmash
Posts: 62
Registered: ‎10-09-2009
0

Re: GRE over IPSec using single End Point IP

Hi PK,

 

Some way out is mentioned is the kb link specially using loop back interface.

 

As I understand, it's a trick where GRE End point is one of it's own loopback I/F address.

 

Please comment on that part.

 

BR,

asmash

Distinguished Expert
Distinguished Expert
pk
Posts: 793
Registered: ‎10-09-2008
0

Re: GRE over IPSec using single End Point IP

Hi

 

You can do like this (KB: "1.Use numbered interface in st0 and use st0 ip as GRE end point"):

 

lab@srxA-1# show interfaces st0 
unit 0 {
    family inet {
        address 10.10.10.1/24;
    }
}

[edit]
lab@srxA-1# show interfaces gr-0/0/0
unit 0 {
    tunnel {
        source 10.10.10.1;
        destination 10.10.10.2;
    }
    family inet {
        address 11.11.11.1/24;
    }
}

 

Here, GRE is terminated on ip 10.10.10.1 which is also a st0.0 ip address. Not sure if this is what you need. The second option ("2. Use loop back interface as GRE endpoint and route this IP to st0") is analogous and should be working, in this case you terminate GRE on lo0 and make routing work between lo0 interfaces through the tunnel. I guess it is not what you want though.

 

By the way, why do you need this kind of tunnel? If you want dynamic routing, it will just work without GRE, just configure a usual IPSec tunnel.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Contributor
asmash
Posts: 62
Registered: ‎10-09-2009
0

Re: GRE over IPSec using single End Point IP

Hi PK,

 

The objective is to estabilish a secure environment with 2 branch offices connected via different leased path. Usually we try to estabilish GRE over IPSec and then run eBGP between two sites.

 

 

SiteA_ISG_1   <----------GRE/IPSec--------Leased Line 01------> Tunnel_1 (SiteC_SRX_1)

_

|

iBGP

|

_

SiteB_ISG_2   <----------GRE/IPSec--------Leased Line 02------> Tunnel_2 (SiteC_SRX_1)

 

 

In case the same dynamic redundency can be achieved with eBGP running over IPSec only (i.e. excluding GRE), it's fine.

 

 

BR,

asmash

 

Contributor
Steffen
Posts: 74
Registered: ‎04-03-2008
0

Re: GRE over IPSec using single End Point IP

Hi asmash,

 


asmash wrote:

 

SiteA_ISG_1   <----------GRE/IPSec--------Leased Line 01------> Tunnel_1 (SiteC_SRX_1)

_

|

iBGP

|

_

SiteB_ISG_2   <----------GRE/IPSec--------Leased Line 02------> Tunnel_2 (SiteC_SRX_1)

 

In case the same dynamic redundancy can be achieved with eBGP running over IPSec only (i.e. excluding GRE), it's fine.

 

 

I use BGP over routed IPsec VPN. So you can skip the GRE part.

 

I used numbered tunnel interfaces and bind the BGP peer to that IP.

Below you'll find the relevant part of one side. The difference between your and my setup is that I have one SRX instead of your two ISG and two SRX on the other side.

 

interfaces {
    st0 {
        unit 0 {
            description "VPN no. 1";
            point-to-point;
            family inet {
                mtu 1500;
                address 10.10.10.1/30;
            }
        }
        unit 1 {
            description "VPN no. 2";
            point-to-point;
            family inet {
                mtu 1500;
                address 10.10.10.5/30;
            }
        }
    }
}
routing-options {
    router-id 192.168.10.1;
    autonomous-system 65501;
}
protocols {
    bgp {
        no-aggregator-id;
        mtu-discovery;
        log-updown;
        group Central-Office {
            description "Central office BGP-peers";
            peer-as 65500;
            neighbor 10.10.10.2 {
                description "Peer through VPN no. 1";
                metric-out 10;
                local-address 10.10.10.1;
            }
            neighbor 10.10.10.6 {
                description "Peer through VPN no. 2";
                metric-out 20;
                local-address 10.10.10.5;
            }
        }
    }
}

 

Hope this helps,

Steffen

 

Visitor
sayed@gazicomm.com
Posts: 2
Registered: ‎10-20-2012
0

Re: GRE over IPSec using single End Point IP

what is the type of bgp.of your example...?

can anybody give the step by step configuration with diagram...?both source and destinetion ip in gre will be same subnet or different sunet..?

 

gr-0/0/0 {
        unit 0 {
            tunnel {
                source 192.168.11.1;
                destination 192.168.10.1;===========Why different subnet....?
            }
            family inet {
                address 10.11.0.1/24;

lo0 {
        unit 0 {
            family inet {
                address 192.168.11.1/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 172.16.0.0/12 {
            next-hop 172.19.83.254;
            retain;
        }
        route 192.168.10.1/32 next-hop st0.0;
        route 10.0.0.0/24 next-hop gr-0/0/0.0;
        route 20.0.0.0/30 next-hop 20.1.0.2;
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.