SRX

Hi Experts, I have two questions about GRE tunnel over IPsec: http://kb.juniper.net/InfoCenter/index?page=content&id=KB19372&actp=search&viewlocale=en_US&searchid=1345331927176%3CBR%3E (1) For the example config in above link, does the gr-0/0/0.0 must have a family inet address? Or only the tunnel source/destination address is a must? If family inet address is a must, and I have gr-0/0/0.0 and gr-0/0/0.1, then two family inet adress are needed? the IPsec is to a GRX partner for romaing, so the family inet address must be public IP? (I am doing swap from ISG to SRX5800, no family inet address from ISG. ) (2) For st0 interface of ipsec vpn, no family inet adress at all in the GRE over IPSEC example above. But for route-based VPN example, st0 has a family inet address. Both is fine? How to understand the difference and configure correctly? For the ISG to SRX migration now, there was no ipsec vpn IP on ISG, if st0 family inet is needed, I need to ask for this IP to the customer. Thanks!! BR/ Claire

Hi Claire,

 

# It is not necessary to provide a address on gre / st0 interface.

unnumbered interface will work for you in both scenarios.

GRE will have tunnel source and tunnel destination as the external ip header ip's in GRE.

Similary for st0 unumbered interfaces will work.

 

All you need to give in the config is :

set interfaces gr-0/0/0 unit 0 family inet

set interfaces st0 unit 0 family inet

Family inet defines that this interface would be used for ipv4 traffic.

 

However if you have a requirement where you want to run a dynamic routing protocol on these logical interface , you definitely need to have an ip on the interfaces.

Any feature which requires to advertise its own detail ( ospf , bgp) for communication purpose you need to have an ip on the logical interface like gre and st0.

 

Let me know if you still have any doubts.

 

regards

Hemant

 

Hi Hemant,

 

Thanks!!

 

(1)     Yes, I have to run BGP on this tunnel. If for this I need to set gr-0/0/0 or st0 with family inet IP. Is this the same IP as the BGP router-id? For BGP over GRE over IPsec, both gr-0/0/0 and st0 need this family inet IP or just gr-0/0/0? If both need, could we use same ip?

 

(2)     For my ISG to SRX swap, former ISG2000 configuration, we have loopback.2 public ip x.x.x.x/32 used for BGP, which is same as bgp router-id. While loopback.1 is tunnel endpoint x.x.x.x/32.

 

So if I configure family inet IP for gr-0/0/0 or st0 interface, do I still need to configure a loopback unit 2 family inet IP as above? If yes, same IP is ok?

 

BR/Claire

Dear Claire

 

I would suggest you use the same config strategy as the ISG. 

 

> Unnumbered for gr and st interfaces

> Terminate VPN on lo0.0

> Use lo0.2 for the BGP peering.

> With BGP as the dynamic routing protocol, you dont need numbered on st0 or gr0 since we define the peer manually and can have a specific route for the peer pointing to the tunnel

 

Hope this helps. Regards,

 

Vikas

Hi Vikas and all, I am following your advice to use lo.0 with IP 1 for VPN and lo.1 with IP 2 for BGP, since both of them should be under Gp-untrust-vr for roaming traffic, we met below error when configuring. Seems we can't configure two sub interface for loopback. 1. what should we do now? 2. could we configure both IP addres under lo.0 as below link? http://forums.juniper.net/t5/SRX-Services-Gateway/eBGP-and-IPSec-VPN-Loopback-interfaces/m-p/226045/highlight/true#M27971 3. We have to run "GRE over IP sec " throung this BGP protocol. Any other configuration point we should pay attention to ? ############################################################################ [edit interfaces lo0] 'unit 1' if_instance: Multiple loopback interfaces not permitted in Gp_Untrust-vr routing instance error: configuration check-out failed ############################################################################# Thanks! BR/ Claire

Hi, Could some expert help? Thanks a lot! BR/ Claire