ok, I got this working after fixing a few things so for the benefit of others trying the same, this is the VR part of the config with my dumb logic
I have my destination internal networks to route to St0.0 metric 20, St0.1 metric 25
After you have config standard St0.0 and St0.1, you need to filter their routes starting at Lo0.0
lo0 {
unit 0 {
family inet {
filter {
input manager-ip;
output St0_Out;
}
address [lo0 assigned LoopkbackIP/32];
}
}
}
When you failover to your backup int, the SRX need to be able to send traffic out to build the tunnel for St0.2 so you need a term that accepts all traffic except from St0.0. I got this working by allowing everything else from Lo0..
filter St0_Out {
term Primary {
from {
interface st0.1;
}
then {
routing-instance UntrustPri;
}
}
term Bkup {
from {
interface st0.2;
}
then {
routing-instance UntrustBkup;
}
}
term AllElse {
from {
source-address {
[lo0 assigned LoopkbackIP/32];
}
destination-address {
[destination internal network IP];
}
}
then accept;
}
}
The routing instances then will take the correct route and prevent St0.x from being able to take any other route. *Make sure you add the phy interface for each instance.
routing-instances {
UntrustBkup {
instance-type virtual-router;
interface dl0.0;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop dl0.0 {
metric 10;
}
}
}
generate {
route 0.0.0.0/0 {
metric 10;
}
}
}
}
UntrustPri {
instance-type virtual-router;
interface ge-0/0/0.0;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop [ge-0/0/0.0 public gwip] {
metric 10;
}
}
}
}
}
*** Note the extra necessary lines for dl0.0
generate {
route 0.0.0.0/0 {
metric 10;
}
}
Because there is no specfic IP for the qualified-next-hop, you have to add this "route of last restort" for your routes tables to update the zero route..
Ensure dl0.0 is in a seperate untrust security zone and you have you have polices to allow all the necessary traffic.
security-zone VPN_Bkup {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
interfaces {
st0.1;
}
}
security-zone untrust_bkup {
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
interfaces {
dl0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
dhcp;
}
}
}
}
}
from-zone untrust_bkup to-zone VPN_Bkup {
policy 7001 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone VPN_Bkup to-zone untrust_bkup {
policy 7000 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}