SRX

I have two srx240 devices, and vpn tunnel between offices.
MAIN office: internet static IP, LAN public IP 193.168.135.1/25.
REMOTE office: internet dymamic IP, LAN public IP 193.168.135.129/27.
(Public c-class ip.)

VPN tunnel seems working between offices.

But I have some kind of routing problems.
I don't know, how I can routing all remote office traffic to main office, and via to internet.

Could anyone help to me?!

Many Thanks!!!

MAIN OFFICE (part of configuration)

set interfaces ge-0/0/0 unit 0 family inet address 193.168.135.253/29
set interfaces ge-0/0/4 unit 0 family inet address 193.168.135.1/25
set interfaces st0 unit 10 family inet address 192.168.2.1/24

set routing-options static route 0.0.0.0/0 next-hop 193.168.135.254
set routing-options static route 193.168.135.128/27 next-hop st0.10

set security ike policy ike_pol_PITTIO mode aggressive
set security ike policy ike_pol_PITTIO proposal-set standard
set security ike policy ike_pol_PITTIO pre-shared-key ascii-text "xxxxxxx"
set security ike gateway gw_PITTIO ike-policy ike_pol_PITTIO
set security ike gateway gw_PITTIO dynamic user-at-hostname "mail@com"
set security ike gateway gw_PITTIO local-identity inet 193.168.135.253
set security ike gateway gw_PITTIO external-interface ge-0/0/0

set security ipsec policy ip_pol_PITTIO perfect-forward-secrecy keys group2
set security ipsec policy ip_pol_PITTIO proposal-set standard
set security ipsec vpn PITTIO bind-interface st0.10
set security ipsec vpn PITTIO ike gateway gw_PITTIO
set security ipsec vpn PITTIO ike ipsec-policy ip_pol_PITTIO
set security ipsec vpn PITTIO establish-tunnels immediately

REMOTE OFFICE (part of configuration)

set interfaces ge-0/0/0 unit 0 family inet dhcp
set interfaces ge-0/0/3 unit 0 family inet address 193.168.135.129/27
set interfaces st0 unit 10 family inet address 192.168.2.2/24

set routing-options static route 193.168.135.0/25 next-hop st0.10

set security ike policy ike_pol_REMOTE_PITTIO mode aggressive
set security ike policy ike_pol_REMOTE_PITTIO proposal-set standard
set security ike policy ike_pol_REMOTE_PITTIO pre-shared-key ascii-text "xxxxxxxxxxx"

set security ike gateway gw_REMOTE_PITTIO ike-policy ike_pol_REMOTE_PITTIO
set security ike gateway gw_REMOTE_PITTIO address 193.168.135.253
set security ike gateway gw_REMOTE_PITTIO dead-peer-detection
set security ike gateway gw_REMOTE_PITTIO local-identity user-at-hostname "mail@com"
set security ike gateway gw_REMOTE_PITTIO external-interface ge-0/0/0

set security ipsec policy ipsec_pol_REMOTE_PITTIO perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_REMOTE_PITTIO proposal-set standard
set security ipsec vpn REMOTE_PITTIO bind-interface st0.10
set security ipsec vpn REMOTE_PITTIO ike gateway gw_REMOTE_PITTIO
set security ipsec vpn REMOTE_PITTIO ike ipsec-policy ipsec_pol_REMOTE_PITTIO
set security ipsec vpn REMOTE_PITTIO establish-tunnels immediately

Hi,

The problem description is not very clear.

If you want to route all the traffic from the remote office to the Main Office, please change the following route on the Branch Side :-

set routing-options static route 193.168.135.0/25 next-hop st0.10

TO

set routing-options static route 0/0 next-hop st0.10

set routing-options static route 193.168.135.253/32 next-hop <Gateway_IP>

However, when the VPN tunnel goes down, this route would still be present in the routing table of the Branch SRX and your traffic would stop working.

You can use vpn-monitoring for this tunnel so that the st interface is brought down when the tunnel goes down and your other default route takes over.

The Second route makes sure that the peer gateway is reachable through the default gateway at all times even when the tunnel is down for re-negotiation.

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

I hope , this picture helps understand what I mean.

Thanks you helping.

But , I tested change remote office config

set routing-options static route 0.0.0.0/0 next-hop st0.10

set routing-options static route 193.168.135.253/32 next-hop 193.168.135.254

After commit, the traffic totally stop between offices.

Hello,

Please confirm if the problem statment here is to route all the traffic from remote office to Main office through the VPN tunnel and nothing from the remote office should go directly on the internet which is present on the remot office side.

Thanks,

Pulkit Bhandari

Hi,

Sorry, this delay, other works.

Yes, my mistake, I put wrong gateway,
set routing-options static route 193.168.135.253/32 next-hop ""MAIN OFFICE""
and then the traffic totally stop out.

But, when I changed gateway,
set routing-options static route 193.168.135.253/32 next-hop ""REMOTE office gateway""
set routing-options static route 0/0 next-hop st0.10
This works fine.

Many Thanks Sahil Sharma.

A few things:

What is the differences
> set interfaces st0 unit 10 family inet address 192.168.2.1/24
OR
> set interfaces st0 unit 10 family inet
without IP ??

I added vpn-monitoring:
> set security ipsec REMOTE PITTIO vpn-monitor
This seems to work.
Is this enough to keep tunnel up ??

regards
-- Timo Rantala --