Routing
Highlighted
Routing

Route Based VPN - Beginner

‎08-17-2014 08:10 PM

hI Everyone,

 

I'm trying to learn more about VPN solutions with Juniper.  

 

I've been reading the below reference doc:

 

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/ipsec-route-based-vpn-configuring....

 

I wanted to learn more about IP address assignments and connectivity.

 

In the example iilliustrated, the tunnel 1 and st0.0...any reason why the ssg isn't configured on a sililar st interface? Is the secure tunnel interface /24 block dedicated solely for vpn tunneling services? 

 

Would such a tunnel run over an oridnary high speed internet link on the same or various providers or shall it be interconnected via dedicated serial links?

 

The ports and interfaces connecting out to the internet, are these private /30 blocks reserved and how should they be configured?

 

Can anyone go in to depth on these commands? Where is 1.1.1.1 configured?

 

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-options static route 192.168.168.0/24 next-hop st0.0

 

I'm trying to learn from a high overview how everything ties together and works.

 

Thanks all

 

4 REPLIES 4
Highlighted
Routing

Re: Route Based VPN - Beginner

‎08-18-2014 03:53 AM
I wanted to learn more about IP address assignments and connectivity.

 In the example iilliustrated, the tunnel 1 and st0.0...any reason why the ssg isn't configured on a sililar st interface? Is the secure tunnel interface /24 block dedicated solely for vpn tunneling services? 

The tunnel interfaces SSG-tunnel.1 and SRX st0.0 form a virtual link. This is used solely for the communications between the two devices on the tunnel.

 

So they need to be on the same subnet.  If this is a simple point to point link with just two devices then you can put them into a /30.  But if this is a hub and spoke situation where one side is point to multipoint, then the subnet needs to be large enough to accomadate all of the sites.

 

Would such a tunnel run over an oridnary high speed internet link on the same or various providers or shall it be interconnected via dedicated serial links?

 The tunnel is a virtual link over whatever base service is provided by the out going gateway interface.  That would typically be internet service from any type of provider.  But you could use this over an MPLS service if you want your traffic encrypted over the shared network.  The two gateway service addresses need to be reachable to each other for the virtual link to form.

 

The ports and interfaces connecting out to the internet, are these private /30 blocks reserved and how should they be configured?

 Yes, these are private link addresses that you  would assign and manage for your internal network topology.  They should be unique for your internal network.

 

Can anyone go in to depth on these commands? Where is 1.1.1.1 configured? 

set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

set routing-options static route 192.168.168.0/24 next-hop st0.0

 These are the static routes for the services needed.  Static routes are configured under the routing-options stanza.

 

the first one is just a default route for the internet service provider on the SRX.

 

The second is a static route to send the remote site subnet into the tunnel so the traffic will be sent.

 

You can also use dynamic routing protocols on the tunnel interfaces if that is part of your network toplogy.  The tunnel interfaces can participate in OSPF or BGP.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Route Based VPN - Beginner

‎08-20-2014 01:09 PM

Very much apprecaited sir, thank you!

 

For the routes:

 

user@host# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

user@host# set routing-options static route 192.168.168.0/24 next-hop st0.0

 

Is the first line configured on the SRX and the second line configured on the SSG?

 

For the first line, shouldn't the next hop be the tunnel 1 interface or IP?

 

For the second line, can't we match all IP subnets with a static route 0.0.0.0/0 and make it a next hop of interface st0.0?

 

How would I enable L3 routing in this example instead of doing a static config?

 

Thanks

Highlighted
Routing

Re: Route Based VPN - Beginner

‎08-20-2014 02:44 PM

Both of these routes are on the SRX.

 

The first is the default route for general access.

user@host# set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

 

the second is just to send the specific subnet down the vpn tunnel interface towards the remote site.

user@host# set routing-options static route 192.168.168.0/24 next-hop st0.0

 

For the second line, can't we match all IP subnets with a static route 0.0.0.0/0 and make it a next hop of interface st0.0?

 

Generally, you would not be sending ALL traffic from a site down the VPN tunnel, but only the subnets controlled by the remote side of the vpn.  You need at least the gateway ip address of the remote side to go out the main interface or the tunnel will not come up. 

 

And usually you will also have local internet access for the site via the local ISP.  But there are occasions where this is not wanted.  In those cases you will create a routing instance just for the vpn subnet to get a default route down the vpn tunnel separate from the main routing instance.  For this see recipie 5 in the Ambassador cookbook for Enterprise.

 

http://forums.juniper.net/t5/Day-One-Books/Day-One-Juniper-Ambassadors-Cookbook-for-Enterprise/ba-p/...

 

How would I enable L3 routing in this example instead of doing a static config?

 

 

You could use BGP or OSPF for the route exchange instead of static routing.  These would be enabled on the desired interfaces and on the tunnel interfaces and the neighbor relationships established.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Route Based VPN - Beginner

‎08-21-2014 04:29 PM

Much appreciated for the help again, thanks!