SRX Services Gateway
SRX Services Gateway

FBF on Tunnel interface

Wednesday

Hello Juniper community,

 

I have a question regarding FBF on SRX,

lets consider this Topology.

Two SRX connected with VPN Ipsec over tunnel interface st0.

I am required to attatch a filter for FBF (Filter based forwarding) on the incoming traffic from the other side(unencrypted traffic)

the filter matchs the source and distination IP address then assign the traffic to a VR.

the question is where to attatch this filter?on the st0 interface or the outside interface?

configuration is as following 

 

set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24
set interfaces ge-0/0/3 unit 0 family inet address 10.1.1.2/30
set interfaces st0 unit 0 family inet address 10.10.11.10/24
set routing-options static route 0.0.0.0/0 next-hop st0.0
set security zones security-zone untrust interfaces ge-0/0/3.0
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone vpn-chicago interfaces st0.0
set security zones security-zone vpn-chicago host-inbound-traffic protocols all
set security zones security-zone vpn-chicago host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone untrust host-inbound-traffic protocols all
set security ike proposal ike-proposal authentication-method pre-shared-keys
set security ike proposal ike-proposal dh-group group14
set security ike proposal ike-proposal authentication-algorithm sha-256
set security ike proposal ike-proposal encryption-algorithm aes-256-cbc
set security ike policy ike-policy mode main
set security ike policy ike-policy proposals ike-proposal
set security ike policy ike-policy pre-shared-key ascii-text $ABC123
set security ike gateway gw-sunnyvale external-interface ge-0/0/3.0
set security ike gateway gw-sunnyvale ike-policy ike-policy
set security ike gateway gw-sunnyvale address 10.2.2.2
set security ike gateway gw-sunnyvale version v2-only
set security ipsec traceoptions flag all
set security ipsec proposal ipsec_prop protocol esp
set security ipsec proposal ipsec_prop authentication-algorithm hmac-sha-256
set security ipsec proposal ipsec_prop encryption-algorithm aes256-cbc
set security ipsec policy ipsec_pol proposals ipsec_prop
set security ipsec vpn ipsec_vpn1 ike ipsec-policy ipsec_pol
set security ipsec vpn ipsec_vpn1 bind-interface st0.0
set security ipsec vpn ipsec_vpn1 ike ipsec-policy ipsec_pol
set security ipsec vpn ipsec_vpn1 ike gateway gw_sunnyvale
4 REPLIES 4
SRX Services Gateway

Re: FBF on Tunnel interface

Wednesday

Hi, 

 

>> I am required to attatch a filter for FBF (Filter based forwarding) on the incoming traffic from the other side(unencrypted traffic)

I am assuming the unencrypted traffic (non-tunneled) would ingress on ge-0/0/3 which is the WAN interface.

If yes, then the filter should be applied on that interface.

 

Cheers, 

Ashvin

SRX Services Gateway

Re: FBF on Tunnel interface

Wednesday

Sorry the direction of the traffic is a little confusing to me.  FBF filters are placed on the interface where the packets being redirected enter the SRX.

 

So if the traffic is coming from another site on the encrypted tunnel into your SRX the filter is on the tunnel interface.

 

If the traffic is destined to enter the tunnel on your SRX into the tunnel interface the filter would need to be applied on every SRX interface where your internal traffic destined for that tunnel arrives on the SRX.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: FBF on Tunnel interface

Friday

I will try to be more clear,

The Problem i am having is when we have two SRXs connected to each other using IPsec(Over tunnel interface)

i would like to apply a FBF on the traffic (which is coming from the otherside) after it being decrypted.

My question is where should i place my FBF filter?

should it be on the Tunnel interface inside the SRX?or the Outside interface where the Ipsec traffic is being recived?

SRX Services Gateway

Re: FBF on Tunnel interface

Friday

Thanks for the clarification.  The FBF filter will be on the st0 tunnel interface for that use case.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home