SRX Services Gateway
Reply
Visitor
andwall-wallix.se
Posts: 8
Registered: ‎07-18-2012
0
Accepted Solution

[SRX-210] GRE tunnel in routing-instance

Hi,

 

Maybe this problem has already been taken up somewhere. But I can't find it..  =)

 

I'm trying to set up a GRE tunnel.

At one of the ends the tunnel is in av routing-instance, type virtual-router.

I have looked at this:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24592&cat=os&actp=LIST

My set up is that tunnel dst is in inet.0.

 

looks kinda like this:

gr-0/0/0.0(SRX)fe-0/0/7.0 (DHCP)    <----[INTERNET]---->    ge-0/0/0.0(J-router)gr-0/0/0.30

    |                                                                                                                                                |

    |------------------------------------------------------------------------------------------------------------|

 

config on SRX side:

 

set interfaces fe-0/0/7 description UPLINK
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-attempt 6
set interfaces fe-0/0/7 unit 0 family inet dhcp retransmission-interval 10

set interfaces gr-0/0/0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 description "GRE Tunnel"
set interfaces gr-0/0/0 unit 0 tunnel source xx.xx.xx.100
set interfaces gr-0/0/0 unit 0 tunnel destination yy.yy.yy.17
set interfaces gr-0/0/0 unit 0 tunnel path-mtu-discovery
set interfaces gr-0/0/0 unit 0 family inet address yy.yy.yy.54/30

 

set security zones security-zone tunnel tcp-rst
set security zones security-zone tunnel host-inbound-traffic system-services all
set security zones security-zone tunnel host-inbound-traffic protocols all
set security zones security-zone tunnel interfaces gr-0/0/0.0

 

set routing-instances R1 instance-type virtual-router
set routing-instances R1 interface gr-0/0/0.0
set routing-instances R1 routing-options static route 0.0.0.0/0 next-hop gr-0/0/0.0

 

 

When the GRE tunnel is not in routing-inst on SRX side the tunnel works.

Am I missing something?

According to link I provided I am not.

 

I have a flow trace matching on GRE packet running.

It gives errors like:

pak_for_self: No handler function found for proto:47, dst-port:1, drop pkt

packet dropped, packet dropped: for self but not interested.

 

 

Thanks in advance...

 

//Andreas Wall

 

 

Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010

Re: [SRX-210] GRE tunnel in routing-instance

Try:

 

user@srx#set interfaces gr-0/0/0 unit 0 tunnel routing-instance destination R1

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
andwall-wallix.se
Posts: 8
Registered: ‎07-18-2012
0

Re: [SRX-210] GRE tunnel in routing-instance

but the destination end-point is in inet.0

I already tried that.

 

 

Visitor
andwall-wallix.se
Posts: 8
Registered: ‎07-18-2012
0

Re: [SRX-210] GRE tunnel in routing-instance

what am I missing?

Do I need some sort of policy?

 

Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010
0

Re: [SRX-210] GRE tunnel in routing-instance

Do you have a static route to yy.yy.yy.17 in the default routing instance?

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
andwall-wallix.se
Posts: 8
Registered: ‎07-18-2012
0

Re: [SRX-210] GRE tunnel in routing-instance

not a static route but the default route in inet.0 is pointing towards my default gateway.

The dst net is reachable through there.

Shouldn't that be enough?

I tried setting a static route for the dst endpoint and it didn't help.

 

Visitor
andwall-wallix.se
Posts: 8
Registered: ‎07-18-2012
0

Re: [SRX-210] GRE tunnel in routing-instance

The GRE tunnel seems to be working in one direction.

Packets from SRX -> J-router gets through.

Packets from J-router -> SRX gets dropped at SRX for some reason.

 

At J-router i can run 'show security flow session protocol gre' and see the tunnel.

But on the SRX side it shows nothing.

So I guess the session ever gets installed on SRX side...?

 

Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010
0

Re: [SRX-210] GRE tunnel in routing-instance

Im not sure what is going on but Protocol 47 is GRE.

 

"packet dropped: for self but not interested":  You are sending traffic to an ip on the device self, but on the destination port is no service/answer or access is prohibited possible.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
andwall-wallix.se
Posts: 8
Registered: ‎07-18-2012
0

Re: [SRX-210] GRE tunnel in routing-instance

Yes, but I'm not sure what I'm supposed to enable in the config.

According to the Juniper guide on how to set up a GRE iface in a RI I'm good to go.

How would the flow look in my setup?

 

 

Recognized Expert
wimclend
Posts: 275
Registered: ‎04-03-2009
0

Re: [SRX-210] GRE tunnel in routing-instance

can you post the relevant parts of the SRX config?

 

ie --

 

zone configuration

policy configuration

 

 

what Interface on the SRX is the GRE tunnel from the J-series terminating on?  make sure that interface has GRE as an allowed service or protocol in the Zone config.

 

If it is terminating on a loopback you also need to make sure security policy allows it -- ie if the loopback is in the 'trust' zone, but the internet-facing interface is in the untrust zone, I think you would need a policy like "from untrust to trust, src=j-series, dst=srx-ip-terminating-gre, application gre, then permit"

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.