SRX Services Gateway
SRX Services Gateway

How to prefer BGP route over IPsec VPN generated static route

‎01-05-2017 01:41 PM

Hi, all,

 

I have a unique situation I don't have an obvious answer for. We have the need to interconnect with a customer by using MPLS-VPN circuit as the primary and IPsec VPN as backup, say we advertise subnet A and customer advertise subnet B to MPLS VPN provider (via BGP of course), everything is good, now we want to set up an IPsec VPN as a backup, unfortunately cutomer side VPN device (Cisco ASA) only supports "policy based" VPN, so I have to explicity configure traffice-selector in SRX vpn configuration listing subnet A as local-ip and subnet-B as remote-ip on SRX, not a problem ... the problem is SRX automatically injects a static route for subnet-B to routing table and SRX would prefer IPsec VPN to reach the customer, how to get around this dilema? 

 

Thanks,

3 REPLIES 3
SRX Services Gateway
Solution
Accepted by topic author oldcreek
‎01-06-2017 07:28 AM

Re: How to prefer BGP route over IPsec VPN generated static route

‎01-05-2017 10:14 PM

Hi there,

Easy, as always with JUNOS  :-)

Under Your BGP group add this line:

preference <number less than reverse static route preference>

I can't remember what is the reverse static route preference for IPSec VPN with traffic selectors, but default static route preference in JUNOS is 5, so Your line above should look like "preference 4".

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: How to prefer BGP route over IPsec VPN generated static route

‎01-06-2017 04:17 AM

I think in that case you would need to set the default preference for static routes to be higher than BGP and then your other static routes you would have to set them to prerefence 5 or whatever value you chose. So when the SRX generates the VPN static route, its default would higher

Something like this:


set routing-options static defaults preference 180

set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
set routing-options static route 0.0.0.0/0 preference 5
set routing-options static route 192.12.0.0/24 next-hop 172.18.1.2
set routing-options static route 192.12.0.0/24 preference 5

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
SRX Services Gateway

Re: How to prefer BGP route over IPsec VPN generated static route

‎06-10-2019 12:03 PM

this is not true for ARI in Traffic-selector , even though we change preference in Static route manually, ARI takes its default value : 5.


@lyndidon wrote:

I think in that case you would need to set the default preference for static routes to be higher than BGP and then your other static routes you would have to set them to prerefence 5 or whatever value you chose. So when the SRX generates the VPN static route, its default would higher

Something like this:


set routing-options static defaults preference 180

set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
set routing-options static route 0.0.0.0/0 preference 5
set routing-options static route 192.12.0.0/24 next-hop 172.18.1.2
set routing-options static route 192.12.0.0/24 preference 5