SRX

Hi All,

   How do you choose the outgoing ip that the VPN will use to establish a tunnel with a remote host.  If you had an interface ge-0/0/0 that was addressed with a /27. ie) ge-0/0/0 has physical ip  60.60.60.1/27 but you want some of your tunnels to be created with the outgoing ip of 60.60.60.2 or 60.60.60.3. 

Any ideas?

This is unfortunately not supported in JUNOS. 

If the IP on which you want to terminate the VPNs isn't in the same IP range as your interface address, you can create an interface with a /32 address on it and use that address for terminating the VPN. Similar as you would do in ScreenOS.

VPNs can't be terminated on the loopback interface (lo0) though, unless that changed recently. What I did last time I needed this, was create another unit on a vlan-tagged interface.

That should still work. Don't forget to add that interface to a zone and create a policy to allow IKE+IPSEC.

I've been terminating IPSec VPNs on loopback interfaces since 10.0R1, so I can verify that it works fine.

It may not be *supported*, but it *works.*  

Hi Keith,

    Could you provide an examle of how you bind your vpn to the loopback.  I have tried this and the other end just gives a IKE retransmision limit reached error.

Here is what I have which is not working.  The other end is an SSG-5 which I know works because I originally made the tunnel using the fe-0/0/0(5.5.5.1)  interface.  I just changed the gateway to be 5.5.5.5 on the SSG-5

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 5.5.5.1/24;
            }
        }
    }
    lo0 {
        unit 100 {
            family inet {
                address 5.5.5.5/32;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }

ike {
    policy ike-policy {
        mode main;
        proposal-set standard;
        pre-shared-key ascii-text "text";
    }
    gateway test-gw {
        ike-policy ike-policy;
        address 5.5.5.254;
        external-interface lo0.100;
    }
}
ipsec {
    policy ipsec-policy {
        proposal-set standard;
    }
    vpn test-vpn {
        bind-interface st0.0;
        ike {
            gateway test-gw;
            ipsec-policy ipsec-policy;
        }
        establish-tunnels immediately;
    }
}



security-zone trust {
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        vlan.0;
        st0.0;
    }
}
security-zone untrust {
    screen untrust-screen;
    host-inbound-traffic {
        system-services {
            ike;
            ping;
        }
    }
    interfaces {
        fe-0/0/0.0;
        lo0.100;
    }
}

I actually got it working by moving my loopback interface into the trust zone then making a policy from untrust to trust for it.  It is strange that I cant ping the loopback when it lives in the untrust zone.  Is this a security feature built into junos?

On a second note now that this works how do i got about adding a new IP.  I cant add anymore loopback units because it says only one per VR is supported.  I can add more IP's to the one unit but then all VPN will just use the first IP in the list.  Is their a way to scale this trick to support 3 or 4 IP's?

Thanks  as always Keith!

You probably needed an untrust->untrust policy to make it work.

Traffic hits the loopback, then loops back (oddly enough, heheh) back into the untrust zone.  Took me a while to figure that one out.

The other "trick" I've used to get multiple addresses is to add "phantom" units to the external interface.  I'll usually put the interface in vlan-tagging mode and assign fake vlan tags to the phantom units, then just make sure routing knows how to find the phantom addresses (either by adding them into OSPF or creating static routes and exporting them). Then, I can have an arbitrarily high number of phantom addresses to use.

I feel really dirty for having to do it that way, but so goes life with Junos sometimes.

You were spot on with the Untrust to Untrust policy.  That was my issue.  That darn Intra-Zone policy always comes back to bite me in the ass.

As for your trick using phamtom interfaces how do you get around the fact that your upstream ISP wont like the fact that you send packets with Vlan tags on them.  Or do those not get sent....I am confusing myself now but I think you get the point of my question...lol

Also with your phamtom interfaces lets say you have a /24.  do you create your first unit as 5.5.5.1/24 then the rest as /32 ie 5.5.5.2/32  5.5.5.3/32?

Using the "phantom interfaces" I don't actually send the traffic with VLAN tags.  It's a total kludge, and I'd never recommend anybody try this at home -- but I figured out that I could make it work and trick Junos into doing things that I'd consider slightly more sane than the way Junos operates sometimes (*ONE* loopback?  Come on, Juniper!  )

The vlan tags on the phantom interfaces are just there as placeholders.  Hold onto your hat for this one, you might start to think I've completely lost it.

Here's an example that's actually in production right now:

reth0 {                                 
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 18 {
        vlan-id 666;
        family inet {
            address X.Y.18.145/27;
        }
    }
    unit 420 {
        vlan-id 420;
        family inet {
            address 10.255.4.2/30;
        }
    }
}

The reason this works is that the router/switch upstream from this SRX does not have VLAN tag 666 configured (and even if it does, it's not applied to the interface that connects to my SRX).  Since there is no VLAN 666 on the remote end, the router/switch upstream does not see a Layer 2 adjacency to my SRX on that VLAN, which means there is no "connected" or "direct" route installed in the routing table for either the switch nor the SRX.  Since there's no L2 connection, the SRX won't send the traffic as a layer 2 frame, it will send it as a routed packet through the system's routing table.  I add the phantom interface into our OSPF area so that the route for X.Y.18.145/27 is advertised through our network, and our upstream devices see the next hop as 10.255.4.2 (the reth0.420 interface which peers with the upstream device).  The same could be done with static routes and/or redistribution.

Now, the only thing I haven't tried yet is to put multiple interfaces in the same address space, however I don't get any errors on a "commit check" if I do this, for example:

reth0 {                                 
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 18 {
        vlan-id 666;
        family inet {
            address X.Y.18.145/27;
        }
    }
    unit 188 {
        description "LET'S TRY THIS!!"
        vlan-id 667;
        family inet {
            address X.Y.18.148/27;
        }
    }
    unit 420 {
        vlan-id 420;
        family inet {
            address 10.255.4.2/30;
        }
    }
}

If you're using the same address space/subnet across your "real" and "phantom" interfaces, you wouldn't even need to worry about routing voodoo at that point, since traffic is going to route back to your device for that subnet anyway.  I would be cautious though that additional units/addresses in the same subnet might try to be sent as layer 2 frames with incorrect VLAN tags since they'll have direct/connected routes in the routing table.

Makes sense. Thanks!

BTW I tried to set this up using a tangent of your method here.  I created some vlan interfaces and gave them Public /32 IP's out of my main internet /27 address space.  I then applied all these vlan interfaces to a free port which I turned into ethernet switching trunk with a loopback command on it to keep it alive.

This allows me to draw all the traffic for those /32 and allows me to set my ike external interface to vlan.666 or vlan.667.  Seems to work fine except I waste a port in this design.

Good to know I'm not the only one doing crazy things like this, we even used the same VLAN ID 🙂

I thought of using the loopback command as well, but was told this didn't work, at least not in clustering mode. Did you try this on a cluster or a standalone device?

I did this on a standalone box.  This makes me realize that it would not work in a cluster unless Junos lets me do the loopback on a reth interface....

Also,  doesn't this allow for IP "selection" where you would put multiple /32 IP's on an interface

set gateway GW_NAME local-identity inet A.B.C.D

?

---

@TravisJohnson wrote:

Also,  doesn't this allow for IP "selection" where you would put multiple /32 IP's on an interface

 

set gateway GW_NAME local-identity inet A.B.C.D

 

?

---

Not sure exactly what you mean there... but you can't have multiple addresses overlapping on an interface.  For example, if your "main" interface IP is 1.1.1.1./24, you can't put 1.1.1.3/32 on the same interface.  That's why my examples are using different subnet ranges.

Hi Keithr

I may be missing something, but doesn't this type of configuration doing the same?

lab@srxA-1# show interfaces ge-0/0/3
unit 0 {
 family inet {
  address 172.18.1.2/24 {
   preferred;
   }
  address 172.18.1.222/24;
 }
}

lab@srxA-1# show security ike gateway phase1-gateway
ike-policy phase1-policy;
address 172.18.2.2;
external-interface ge-0/0/3.0;
local-address 172.18.1.222;

Here I put a secondary address (.222) on the interface and force SRX to use it for IKE with

a (hidden) command local-address.

---

@pk wrote:

 

I may be missing something, but doesn't this type of configuration doing the same?

---

There are some caveats to use preferred and primary addresses on interfaces.  I'd have to go dig through the documentation again, but I specifically avoided it at the time for a reason.

Additionally, my examples are using different subnets and it allows me to control how routes are advertised (or not) though the "real" interface.

---

@keithr wrote:

Using the "phantom interfaces" I don't actually send the traffic with VLAN tags.  It's a total kludge, and I'd never recommend anybody try this at home -- but I figured out that I could make it work and trick Junos into doing things that I'd consider slightly more sane than the way Junos operates sometimes (*ONE* loopback?  Come on, Juniper!  )

 

The vlan tags on the phantom interfaces are just there as placeholders.  Hold onto your hat for this one, you might start to think I've completely lost it.

 

Here's an example that's actually in production right now:

 

reth0 {                                 
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 18 {
        vlan-id 666;
        family inet {
            address X.Y.18.145/27;
        }
    }
    unit 420 {
        vlan-id 420;
        family inet {
            address 10.255.4.2/30;
        }
    }
}

The reason this works is that the router/switch upstream from this SRX does not have VLAN tag 666 configured (and even if it does, it's not applied to the interface that connects to my SRX).  Since there is no VLAN 666 on the remote end, the router/switch upstream does not see a Layer 2 adjacency to my SRX on that VLAN, which means there is no "connected" or "direct" route installed in the routing table for either the switch nor the SRX.  Since there's no L2 connection, the SRX won't send the traffic as a layer 2 frame, it will send it as a routed packet through the system's routing table.  I add the phantom interface into our OSPF area so that the route for X.Y.18.145/27 is advertised through our network, and our upstream devices see the next hop as 10.255.4.2 (the reth0.420 interface which peers with the upstream device).  The same could be done with static routes and/or redistribution.

 

Now, the only thing I haven't tried yet is to put multiple interfaces in the same address space, however I don't get any errors on a "commit check" if I do this, for example:

 

reth0 {                                 
    vlan-tagging;
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 18 {
        vlan-id 666;
        family inet {
            address X.Y.18.145/27;
        }
    }
    unit 188 {
        description "LET'S TRY THIS!!"
        vlan-id 667;
        family inet {
            address X.Y.18.148/27;
        }
    }
    unit 420 {
        vlan-id 420;
        family inet {
            address 10.255.4.2/30;
        }
    }
}

If you're using the same address space/subnet across your "real" and "phantom" interfaces, you wouldn't even need to worry about routing voodoo at that point, since traffic is going to route back to your device for that subnet anyway.  I would be cautious though that additional units/addresses in the same subnet might try to be sent as layer 2 frames with incorrect VLAN tags since they'll have direct/connected routes in the routing table.

 

---

What do you use for outgoing interface in IKE config?

---

@TravisJohnson wrote:

What do you use for outgoing interface in IKE config?

---

I can use any of them, assuming that they're valid IP addresses.  Internally, for example, I use the reth.420 address an it's internal IP address.  For external connections, I can use the reth.18 as it's a public IP.  Just be sure your routing is propagated through your network properly.

"Accepted Solution"

I am looking for a config doc that tells how to confiigure using loopback address for vpn tunnel. I have scenario that I need to create 2 tunnels on remote side but one terminates on 1 srx and 1 on the other srx in a core. (route-based scenario)