We discovered the same issue on the SRX's - IPSec tunnels can only be terminated in the default VR, though the st0 interfaces can be in any VR you want. It's a problem when your Internet-facing routing table is in a routing-instance and not the default table. In most situations you can workaround that issue until Juniper supports IPSec tunnels to any VR (like in ScreenOS). But until then, anyone running tunnels out multiple ISP connections from one SRX might continue to have problems.

Yup, the one thing you would have thought a JUNOS device would be able to do is a routing type function - I'm tempted to rip out the SRX and replace it with a mature firewall with proper virtualisation capabilities. Following on from another post here is a  'work around'

http://kb.juniper.net/KB12866

Mark,

Unfortunately, the work-around that I referred to in KB12866 has been removed.  We added the following note:

NOTE:  Previously a work-around solution was provided in this KB article. However the Juniper Networks Engineering team found some serious limitations with the work-around solution. Hence we are no longer supporting the work-around solution.  Juniper is continuing to work on a more robust implementation for an upcoming future JUNOS release. Please contact your Juniper Sales Representative for information regarding the feature roadmap for this feature.

We apologize for the inconvenience.

Regards,

Josine

Is this already possible?

Hi,

Yes st0.x interfaces can be member of a (non-default) routing instance since JUNOS 10.4 R1. It worked unofficially since 10.0 R3 but there have been issues so it was not supported but a hidden feature.

Please not that the external interface that you specify at the VPN gateway level has still to be in the normal inet.0 instance.

Kind regards,

Dominik

Hello, Dominik.

Would you happen to know if OSPF is supported over IPSec tunnel interfaces terminated in a VR other than inet.0? (assuming the terminating external interface is within inet.0 of course)

The device allows my conf but my debug indicates almost no activity with regards to OSPF and the tunnel interface.  I'm using 10.4R2.7 on an SRX 210 with an SA to an SSG5.  Nothing much complicated about the configuration:

-----

    st0 {

        description Tunnels;

        unit 0 {

            description "Tunnel to yermom";

            family inet {

                mtu 1340;               

                address 10.10.254.5/30; 

            }                           

        }                               

----

regards

Darryl

Tried it out in lab, worked immediately without problems. You might want to troubleshoot the OSPF issue as it would be with any other link. Is the config on the other side compatible (MTU, stub/nssa, etc.).

Regards,

Dominik

This was my error.  I forget that OSPF behaves differently from ScreenOS to JunOS.

Thanks for looking into this.