SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  NHTB, unnumbered, and "tunnel invalid" flows on IPSec

    Posted 07-22-2014 17:40

    I am trying to configure multiple IPSec tunnels in one zone, but I want to use unnumbered interfaces so that I can conserve IP addresses.  I could use NextHop Tunnel Binding (NHTB), but Junos requires me to eat up more IP addresses.

     

    So I simply added a second st0 interface to the zone with a static route for each st0 interface, as a workaround to avoid NHTB and save my IP addresses. But when I do so, I am unable to send traffic down the second st0 interface.  In my traffic logs, I get a "Tunnel invalid" message:

     

    RT_FLOW_SESSION_CLOSE: session closed Tunnel invalid: 10.0.250.18/34749->192.168.100.200/33437 None 10.0.250.18/34749->192.168.100.200/33437 None None 17 Test-Outbound-Default Test Campus 80959889 1(40) 0(0) 1 UNKNOWN UNKNOWN N/A(N/A) st0.3

     

    Is there some way around this limitation, or am I forced to use NHTB if I want to have more than one tunnel in a particular zone?

     

    Here is a snippet of my config that does not work:

     

    [edit interfaces st0]
unit 2 {
    family inet;
}
unit 3 {
    family inet;
}

[edit security zones security-zone ZoneTest]
host-inbound-traffic {
    system-services {
        ping;
    }
    protocols {
        all;
    }
}
interfaces {
    st0.2;
    st0.3;
}

[edit routing-instances VrTest]

interface st0.2;
interface st0.3;
routing-options {
    static {        
        route 10.0.250.0/28 next-hop st0.2;
        route 10.0.250.16/28 next-hop st0.3;
    }
}

     

     

    Thanks.

     

    Clarke Morledge

    College of WIlliam and Mary

     



  • 2.  RE: NHTB, unnumbered, and "tunnel invalid" flows on IPSec
    Best Answer

    Posted 07-22-2014 18:54

    Hi Clarke,

     

    You can configure un-numbered ST0 interfaces and added them to the same security zone.

    NHTB is not needed.

     

    NHTB is needed for only hub and spoke vpn.

     

    http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/vpn-hub-spoke-nhtb-example-configuring.html

     


    Traffic is getting blocked for some other reason.

     

    Do you see ipsec sa up for the st0.3 tunnel?

     

    Share the configuration , security ike and ipsec outputs .

     

    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

     



  • 3.  RE: NHTB, unnumbered, and "tunnel invalid" flows on IPSec

    Posted 07-24-2014 18:49

    Thanks for giving me a sanity check on this.

     

    I am not exactly sure what I did, but when I went ahead and deactivated the first tunnel/vpn I configured and reactivated it, the second tunnel came up without an issue. 

     

    I did not feel comfortable with that, so I went ahead and rebuilt the configuration from scratch, and now everything is working correctly.  Presumably, I must have had a typo in my  config somewhere.

     

    So, just to confirm, you can run multiple unnumbered tunnels within a zone without needing to do NHTB.

     

    Clarke



  • 4.  RE: NHTB, unnumbered, and "tunnel invalid" flows on IPSec

    Posted 07-24-2014 23:36

    Hi Clarke,

     

    Yes , you can have multiple un-numbered st0 interfaces like st0.1, st0.1 etc and bind all these st0 interfaces to the same security zone.

     

    Regards,

    rparthi



  • 5.  RE: NHTB, unnumbered, and "tunnel invalid" flows on IPSec

    Posted 07-25-2014 06:41

    In case of Hub and Spoke do we have solution without NHTB? with unnumbered multipoint tunnel can we have multiple spokes?



  • 6.  RE: NHTB, unnumbered, and "tunnel invalid" flows on IPSec

    Posted 08-21-2014 12:41

    I have not found an option to do that.  So, unless I am mistaken, the answer is no.

     

    Clarke