SRX

I'm trying to get my VPN tunnel to work when the primary untrust interface fails over to the dail - backup

set interface ge-0/0/0.0 backup-options interface dl0.0
routing-options static route 0.0.0.0/0 qualified-next-hop [pri gw ip] metric 20;
routing-options static route 0.0.0.0/0 qualified-next-hop dl0.0 metric 25;
set security
    ike gateway Location1-P1 {
            ike-policy ICUNSA_AES256-P1;
            address [public ip];
            local-identity user-at-hostname "letmein@location1.com";
            external-interface ge-0/0/0.0;
           
    ipsec {
        proposal ICUNSA_AES256-P2 {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
 
     vpn Location1-P2 {
            bind-interface st0.1;
            vpn-monitor {
                optimized;
                source-interface lo0.0;
                destination-ip [Location1 internal ip];
            }
            ike {
                gateway Location1-P1;
                idle-time 60;
                no-anti-replay;        
                ipsec-policy ICUNSA_AES256-P2;
            }
            establish-tunnels immediately;

Set routing-options static

        route [Location1 internal ip] {
            qualified-next-hop st0.1 {
                metric 20;
            }
            qualified-next-hop st0.2 {
                metric 25;
            }

Tired:-Issue
Single VPN tunnel:-can't be bound to two phy interfaces
Primary/Secondary VPN tunnels:-works at first however after st0.2 sucessfully passes internal traffic st0.1 discovers 0.0.0.0/0 route to dl0 and tries too comes up which breaks routing 
Firewall Filter st0.1 and st0.2 public interfaces allowed by routing-instances:-breaks 0.0.0.0/0 routing

Any other ideals to try? This was so much easier on a SSG5 😞

Hello ,

You can try to create 2 different ike gateway ( one with ge-0/0/0 and other with dl interface ) . And now bind the first gateway to st0.1 and bind the second gateway to vpn st0.2 . 

So one the primary route for ge-0/0/0 fails , it will take the qualified next hope as dl interface and forms the secondary tunnel with st0.2 .

That was how we did it on the SSG however on the SRX it only works at first...  after st0.2 sucessfully passes internal traffic and sits idle a few secs,  st0.1 discovers 0.0.0.0/0 route via dl0 and tries too comes up which breaks routing 

although st0.1 is bound to ge-0/0/0 it's discoverying the 0.0.0.0/0 route and interfearing.  

Hello ,

Can you try this : http://kb.juniper.net/InfoCenter/index?page=content&id=KB29227

Unfortunately this senerio assumes your 2nd ISP is also a static IP vs dhcp

I'm no longer getting any 0.0.0.0/0 routes when adding routing instances

    dl0 {
        description USB-modem-backup;
        encapsulation ppp;
        unit 0 {
            ppp-options {
                pap {
                    local-name "Elvis";
                    no-rfc2486;
                    local-password "$9$J7DqP/Ctu1R/9WL"; ## SECRET-DATA
                    passive;
                }
                lcp-max-conf-req 0;
                ncp-max-conf-req 0;
            }
            family inet {              
                negotiate-address;
            }
            family iso;
            dialer-options {
                pool usb-modem-dialer-pool;
                dial-string 818005904857;
                activation-delay 1;
                deactivation-delay 30;
            }
        }

    filter St0_Out {
        term Primary {
            from {
                interface st0.1;
            }
            then {
                routing-instance ri_untrust_pri;
            }
        }
        term BkUp {
            from {
                interface st0.4;
            }
            then {
                routing-instance ri_untrust_bkup;
            }
        }
    }

ri_untrust_bkup {
    instance-type virtual-router;
    interface dl0.0;
}

ri_untrust_pri {
    instance-type virtual-router;
    interface ge-0/0/0.0;
}

Hello ,

Thanks for the update . Since the backup link ie dl interface is DHCP IP , its a bit tough . But you can try to give a static route  on Bacup VR with next-hope as dl0.0 . Never tested this , but can give it a try . The issue is that we does not have a default router for dl0.0 .

static {
    route 0.0.0.0/0 next-hop dl0.0;
}

ok was able to set that, however the Firewall Filter is not allowing the traffic to goto the routing instance.  I'm not following the KB29227 example concepts of adding Lo0.0 to family iso and assigning it a IP?

filter St0_Out {                       
    term Primary {
        from {
            interface st0.1;
        }
        then {
            routing-instance ri_untrust_pri;
        }
    }
    term BkUp {
        from {
            interface st0.2;
        }
        then {
            routing-instance ri_untrust_bkup;
        }
    }
}

ri_untrust_pri {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop [public gw ip];
        }
    }
}

ri_untrust_bkup {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop dl0.0;
        }
    }
}

lo0 {
    unit 0 {
        family inet {
            filter {
                input manager-ip;
            }
            address [private ip loopback/32]; 
        }
        family iso;
    }
}

Hello ,

I am not sure if your filter configuration is correct , since the filter term says "from interface st " . We need the route failover based on the primary link up down status .

Think your correct because St0 routes to Lo0?  I moved the location of the output filter to lo0 vs the phy interfaces.

So the process flow should now be..

St0.1 and St0.2 look to Lo0 for route to 0.0.0.0/0

Lo0 now points to the output filter

interfaces {

    lo0 {
        unit 0 {
            family inet {
                filter {
                    input manager-ip;
                    output St0_Out;
                }
                address 10.181.110.200/32;
            }
            family iso;
        }
    }

}

I corrected the output filter so it's now under family inet vs being at the same level

firewall {
    family inet {
        filter St0_Out {
            term Primary {
                from {
                    interface st0.1;
                }
                then {
                    routing-instance ri_untrust_pri;
                }
            }
            term BkUp {
                from {
                    interface st0.2;
                }
                then {
                    routing-instance ri_untrust_bkup;
                }
            }
        }
    }

Base on which St0.# traffic is coming in from, Lo0 should re-direct to the coresponding routing-instance to give them a 0.0.0.0/0 route

routing-instances {
    ri_untrust_bkup {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop dl0.0;
            }
        }
    }
    ri_untrust_pri {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop [public gwip for ge-0/0/7.0];
            }
        }
    }

Unfortunately however outbound traffic seems to be block...?

Hello ,

Instead of using a filter based forwarding , why  can we try using ip-monitoring for route failover and create . here is a sample configuration for you  :

Set routing-options static

        route [Location1 internal ip] {
            next-hop st0.0 {
            }


   ike gateway Location1-P1 {
            ike-policy ICUNSA_AES256-P1;
            address [public ip];
            local-identity user-at-hostname "letmein@location1.com";
            external-interface ge-0/0/0.0;

   ike gateway Location1-P1-Backup  {
            ike-policy ICUNSA_AES256-P1;
            address [public ip];
            local-identity user-at-hostname "letmein@location1.com";
            external-interface dl0.0




     vpn Location1-P2 {
            bind-interface st0.0;
            ike {
                gateway Location1-P1;
                idle-time 60;
                no-anti-replay;        
                ipsec-policy ICUNSA_AES256-P2;
            }
            establish-tunnels immediately;

     vpn Location1-P2-Backup {
            bind-interface st0.1;
            ike {
                gateway Location1-P1;
                idle-time 60;
                no-anti-replay;        
                ipsec-policy ICUNSA_AES256-P2;
            }
            establish-tunnels immediately;




routing-instances {
   isp2-DL {
       instance-type virtual-router;    
       interface dl0.0;
   }
}


services {
   rpm {
       probe example {
           test test-name {
               target address 4.2.2.2;
               probe-count 3;
               probe-interval 15;
               test-interval 10;
               thresholds {
                   successive-loss 3;
                   total-loss 3;
               }
               destination-interface ge-0/0/0.0;
               next-hop [pri gw ip] ;
           }
       }
   }



  ip-monitoring {
       policy test {
           match {
               rpm-probe example;
           }
           then {
               preferred-route {
                   route 0.0.0.0/0 {
                       next-hop [st0.1 IP] ;
                   }
               }
           }
       }
   }

I tired this, however it seems to break all 0.0.0.0/0 routing when ge-0/0/0.0 is physically down reguardless of what I try..

        route 0.0.0.0/0 {
            qualified-next-hop [ge-0/0/0.0 gwip] {
                metric 20;
            }
            qualified-next-hop dl0.0 {
                metric 25;
            }

Hello ,

Do not give the qualified next hop , Just configure primary route  0/0 to ge-0/0/0 . The secondary route will be taken care by IP monitoring .

That resulted in a lower zero route rejecting everything and I don't understand how/where the isp2-DL VR is being called/referenced from or why your pointing a zero route to a single tunnel.

Just to make sure I understand your proposed concept...

ST0.x each have their own ike gw bound to seperate public interface(s)

They try taking the only zero route

routing-options {
    interface-routes {
        rib-group inet fbf-group;
    }
    static {

        route 0.0.0.0/0 {
            next-hop [ge-0/0/0.0 public gwip];
            metric 20;

We're not running ISIS protocol?

routing-instances {
   isp2-DL {
       instance-type virtual-router;   
       interface dl0.0;
   }
}

We're running the following..

services {
    rpm {
        probe ZeroRoute {
            test PingHome {
                target address [known good public IP];
                probe-count 3;
                probe-interval 15;
                test-interval 10;
                thresholds {
                    successive-loss 3;
                    total-loss 3;
                }
                destination-interface ge-0/0/7.0;
                next-hop [ge-0/0/7.0 public gwip];
            }
        }
    }
    ip-monitoring {
        policy ZeroRoute {
            match {
                rpm-probe ZeroRoute;
            }
            then {
                preferred-route {
                    route 0.0.0.0/0 {
                        next-hop [St0.1 ip];
                    }
                }
            }
        }
    }
}

So the 0.0.0.0/0 route to ge-0/0/0.0 is always vaild and if that phy int is down, traffic should route to dl0.0 automatically, and if the Ping Test from ge-0/0/0 fails, the remaining internal traffic should reroute to St0.1 ? 

Hello ,

Your understanding is correct .  if the ping fails through the ge-0/0/0 , the ip-monitoring will inject the dl0.0 route in the routing table .

This results in the following:

0.0.0.0/0     *[Static/1] 16:51:38, metric2 0
                     Reject
                    [Static/5] 16:44:14, metric 20
                    > to [ge-0/0/0.0 public gwip] via ge-0/0/0.0 

which I have not define any routes with metric 2, so I think it's the chicken or egg senerio as the monitoring is failing and sending everything to St0.1 before St0.0 even has a chance to to try ge-0/0/0.0 

I think the webfilter model was much closer to what I need, I just need to include a last term statement that would allow all other traffic out except from St0.0 and St0.1

ok, I got this working after fixing a few things so for the benefit of others trying the same, this is the VR part of the config with my dumb logic

I have my destination internal networks to route to St0.0 metric 20, St0.1 metric 25

After you have config standard St0.0 and St0.1, you need to filter their routes starting at Lo0.0

    lo0 {
        unit 0 {
            family inet {
                filter {
                    input manager-ip;
                    output St0_Out;
                }
                address [lo0 assigned LoopkbackIP/32];
            }
        }
    }

When you failover to your backup int, the SRX need to be able to send traffic out to build the tunnel for St0.2 so you need a term that accepts all traffic except from St0.0.  I got this working by allowing everything else from Lo0..

        filter St0_Out {
            term Primary {
                from {
                    interface st0.1;
                }
                then {
                    routing-instance UntrustPri;
                }
            }
            term Bkup {
                from {
                    interface st0.2;
                }
                then {
                    routing-instance UntrustBkup;
                }
            }
            term AllElse {
                from {
                    source-address {
                        [lo0 assigned LoopkbackIP/32];
                    }
                    destination-address {
                        [destination internal network IP];
                    }
                }
                then accept;
            }
        }

The routing instances then will take the correct route and prevent St0.x from being able to take any other route.  *Make sure you add the phy interface for each instance.

routing-instances {
    UntrustBkup {
        instance-type virtual-router;
        interface dl0.0;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    qualified-next-hop dl0.0 {
                        metric 10;
                    }
                }
            }
            generate {
                route 0.0.0.0/0 {
                    metric 10;
                }
            }
        }
    }
    UntrustPri {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    qualified-next-hop [ge-0/0/0.0 public gwip] {
                        metric 10;
                    }
                }
            }
        }
    }

*** Note the extra necessary lines for dl0.0 

generate {
                route 0.0.0.0/0 {
                    metric 10;
                }
            }

Because there is no specfic IP for the qualified-next-hop, you have to add this "route of last restort" for your routes tables to update the zero route.. 

Ensure dl0.0 is in a seperate untrust security zone and you have you have polices to allow all the necessary traffic.

        security-zone VPN_Bkup {
            host-inbound-traffic {
                system-services {
                    ssh;
                    ping;
                }
            }
            interfaces {
                st0.1;
            }
        }
        security-zone untrust_bkup {
            host-inbound-traffic {
                system-services {
                    ping;
                    ssh;
                    ike;
                }
            }
            interfaces {
                dl0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            ssh;
                            dhcp;
                        }
                    }
                }
            }
        }

        from-zone untrust_bkup to-zone VPN_Bkup {
            policy 7001 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone VPN_Bkup to-zone untrust_bkup {
            policy 7000 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }

Hello ,

Thanks for sharing the output .