11-16-2009 11:29 AM
I am trying to build an IPSEC tunnel frmo an established SSG to a new SRX240, however the tunnel needs to terminate on an SRX vr instance interface, can this be done at all as it doesn't want to come up
Anyone tried this before?
11-16-2009 01:22 PM
We discovered the same issue on the SRX's - IPSec tunnels can only be terminated in the default VR, though the st0 interfaces can be in any VR you want. It's a problem when your Internet-facing routing table is in a routing-instance and not the default table. In most situations you can workaround that issue until Juniper supports IPSec tunnels to any VR (like in ScreenOS). But until then, anyone running tunnels out multiple ISP connections from one SRX might continue to have problems.
11-17-2009 01:00 AM
Yup, the one thing you would have thought a JUNOS device would be able to do is a routing type function - I'm tempted to rip out the SRX and replace it with a mature firewall with proper virtualisation capabilities. Following on from another post here is a 'work around'
11-19-2009 09:16 PM
Unfortunately, the work-around that I referred to in KB12866 has been removed. We added the following note:
NOTE: Previously a work-around solution was provided in this KB article. However the Juniper Networks Engineering team found some serious limitations with the work-around solution. Hence we are no longer supporting the work-around solution. Juniper is continuing to work on a more robust implementation for an upcoming future JUNOS release. Please contact your Juniper Sales Representative for information regarding the feature roadmap for this feature.
We apologize for the inconvenience.
02-11-2011 05:51 AM
Yes st0.x interfaces can be member of a (non-default) routing instance since JUNOS 10.4 R1. It worked unofficially since 10.0 R3 but there have been issues so it was not supported but a hidden feature.
Please not that the external interface that you specify at the VPN gateway level has still to be in the normal inet.0 instance.
02-15-2011 07:51 AM
Would you happen to know if OSPF is supported over IPSec tunnel interfaces terminated in a VR other than inet.0? (assuming the terminating external interface is within inet.0 of course)