SRX

last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  vSRX VPN IPSec Site-to-Site PPPoE problem

    Posted 04-21-2016 04:44

    Hello ladies & gets,

     

    I am new in Juniper and generally JunOS but I found it easier to learn, so in order to make my first steps with the real deal -SRX- I got firstly vSRX in order to test some things. One of them is IPSec Site to Site VPN.

     

    I ve got to try this with two different home modem - routers...lets say the one in Antartica and the other in Arctic, with VMware Workstation as my platform and I put my VMs on Bridged mode. For testing purposes I supposedly accept my 2 different dynamic IPs as static IPs...

     

    I used as my guide this one:

    https://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/ipsec-route-based-vpn-configuring.html

     

    and because I stack in the logic of

     

    set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 <--in r.s.* this interface is our default gateway?192.168.1.1?
    set interfaces st0 unit 0 family inet address 10.11.11.10/24<--in r.s. this is our virtual ip?Right?We can set is as we want
     
    set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1<--Which is the role of 1.1.1.1 and what is its logic connection to 1.1.1.2?
    set routing-options static route 192.168.168.0/24 next-hop st0.0

     

    I consider reading this:

     

    https://forums.juniper.net/t5/SRX-Services-Gateway/How-to-configure-PPPoE-with-SRX100-10-0R2-10-for-Switzerland/td-p/37702

     
    set routing-options static route 0.0.0.0/0 next-hop pp0.0;

     

    As necessary in order to continue...Is it really necessary to make this routing from pp0.0 or we can just use the above logic with better configuration?

      I wrote some questions in order to get this better!

     

     

    *r.s. = real scenario


    #vpn
    #SRX
    #vSRX
    #site-to-site
    #PPPoE


  • 2.  RE: vSRX VPN IPSec Site-to-Site PPPoE problem
    Best Answer

    Posted 04-22-2016 04:10

    Hello,

     

     

    Please find the answer to your queries in the above post as below:-

     

    1. set interfaces ge-0/0/3 unit 0 family inet address 1.1.1.2/30 <--in r.s.* this interface is our default gateway?192.168.1.1?

    Yes, In R.S. This is your default gateway interface (connected to the modem/ router).

     

    2. set interfaces st0 unit 0 family inet address 10.11.11.10/24<--in r.s. this is our virtual ip?Right?We can set is as we want?

    Yes, This is a virtual IP and you can set it as you want or you can even leave this interface without an IP address (unnumbered) but you will have to atleast configure "family inet" for this interface to work. Also you will have to assign this interface to a security zone.

     

    3. set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1<--Which is the role of 1.1.1.1 and what is its logic connection to 1.1.1.2?

    This is the default route which should be present on the SRX to send all the traffic from SRX to the next hop. 1.1.1.1 is your next hop IP address ( In R.S. it should be the IP address of the router/modem connecting to the SRX). When you use PPPoE interface, generally the default route is also learned through PPPoE and in such case you will not have to configure the above route but if it is not  learned through PPPoE then you have to configure the route as "set routing-options static route 0.0.0.0/0 next-hop pp0.0".

     

    set routing-options static route 192.168.168.0/24 next-hop st0.0 - This route is for specifying the encryption domain of the VPN tunnel. This route will mean that if any traffic on SRX comes to go to the destination 192.168.168.0/24 then it has to go over the tunnel interface st0.0. (192.168.168.0/24 is the remote subnet which should be accessible on the VPN tunnel).

     

    Hence as i have answered the query no. 3 if the default route is already present on SRX learnt through PPPoE then you do not need the route set routing-options static route 0.0.0.0/0 next-hop pp0.0 else you will need it.

     

     

    Thanks,

    Pulkit Bhandari

     

    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. 🙂 



  • 3.  RE: vSRX VPN IPSec Site-to-Site PPPoE problem

    Posted 05-04-2016 01:40

    Dear Pulkit,

     

    I am the same user...I just had to create new account after login problem.

     

    First of all thank you very much for your reply! After that I tried all these days to run it! Again and again...but I am stack! So I uploaded to you the two configurations of SRX-A and SRX-B...please check them.

     

    I don't know if there is anything wrong...cause I always get on:

     

    show security ike security-associations

    DOWN

     

     

    1) Has NAT anything to do with that scenario?

     

    2)I noticed something strange: I have 3 PCs...when I load the image of vSRX in the one of them...there will be no ge-0/0 interfaces at all...so even if I edit the configuration in order assign an IP address on ge...this will be lost cause there is no interface that exists! Logical right? ButI use the same settings on the three of them...I mean the same number of network interfaces of VMware Workstation...why is this happening?

     

    3) https://forums.juniper.net/jnet/attachments/jnet/srx/3161/1/SRX_ERX_PPPoE.txt

     

     


    #site-to-site
    #ppoe
    #vSRX
    #NAT

    Attachment(s)

    txt
    SRX-B.txt   3 KB 1 version
    txt
    SRX-A.txt   3 KB 1 version