SRX Services Gateway
SRX Services Gateway

IPSEC termination from SSG to SRX virtual routing interface

11.16.09   |  
‎11-16-2009 11:29 AM

Hi

I am trying to build an IPSEC tunnel frmo an established SSG to a new SRX240, however the tunnel needs to terminate on an SRX vr instance interface, can this be done at all as it doesn't want to come up

 

Anyone tried this before?

 

Regards

 

Mark

10 REPLIES
SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

11.16.09   |  
‎11-16-2009 01:22 PM

We discovered the same issue on the SRX's - IPSec tunnels can only be terminated in the default VR, though the st0 interfaces can be in any VR you want. It's a problem when your Internet-facing routing table is in a routing-instance and not the default table. In most situations you can workaround that issue until Juniper supports IPSec tunnels to any VR (like in ScreenOS). But until then, anyone running tunnels out multiple ISP connections from one SRX might continue to have problems.

SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

11.17.09   |  
‎11-17-2009 01:00 AM

Yup, the one thing you would have thought a JUNOS device would be able to do is a routing type function - I'm tempted to rip out the SRX and replace it with a mature firewall with proper virtualisation capabilities. Following on from another post here is a  'work around'

 

http://kb.juniper.net/KB12866

SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

11.19.09   |  
‎11-19-2009 09:16 PM

Mark,

 

Unfortunately, the work-around that I referred to in KB12866 has been removed.  We added the following note:

 

NOTE:  Previously a work-around solution was provided in this KB article. However the Juniper Networks Engineering team found some serious limitations with the work-around solution. Hence we are no longer supporting the work-around solution.  Juniper is continuing to work on a more robust implementation for an upcoming future JUNOS release. Please contact your Juniper Sales Representative for information regarding the feature roadmap for this feature.

 

We apologize for the inconvenience.

Regards,

Josine

 

SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.11.11   |  
‎02-11-2011 05:27 AM

Is this already possible?

SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.11.11   |  
‎02-11-2011 05:51 AM

Hi,

 

Yes st0.x interfaces can be member of a (non-default) routing instance since JUNOS 10.4 R1. It worked unofficially since 10.0 R3 but there have been issues so it was not supported but a hidden feature.

 

Please not that the external interface that you specify at the VPN gateway level has still to be in the normal inet.0 instance.

 

Kind regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.15.11   |  
‎02-15-2011 07:51 AM

Hello, Dominik.

 

Would you happen to know if OSPF is supported over IPSec tunnel interfaces terminated in a VR other than inet.0? (assuming the terminating external interface is within inet.0 of course)

 

The device allows my conf but my debug indicates almost no activity with regards to OSPF and the tunnel interface.  I'm using 10.4R2.7 on an SRX 210 with an SA to an SSG5.  Nothing much complicated about the configuration:

 

-----

 

    st0 {

        description Tunnels;

        unit 0 {

            description "Tunnel to yermom";

            family inet {

                mtu 1340;               

                address 10.10.254.5/30; 

            }                           

        }                               

----
       security-zone VPN-inet1 {
            interfaces {                
                st0.0 {                 
                    host-inbound-traffic {
                        system-services {
                            ping;       
                        }               
                        protocols {     
                            ospf;       
                        }               
                    }                   
                }                       
            }                           
        }                               
    } 

 

----

 

    vr3 {
        instance-type virtual-router;
        interface st0.0;
        routing-options {
            router-id 10.0.254.5;
        }
        protocols {
            ospf {
                area 0.0.0.0 {
                    interface st0.0 {
                        interface-type p2p;
                        retransmit-interval 8;
                        transit-delay 1;
                        hello-interval 40;
                        dead-interval 40;
                    }                   
                }                       
            }                           
        }                               
------

 

 

regards

 

Darryl

Highlighted
SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.15.11   |  
‎02-15-2011 03:29 PM

Hi,

 

I'm not aware of any OSPF issue related to tunnels that terminate in a non-default VR but would need to have a look in lab to be 100% sure...

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.15.11   |  
‎02-15-2011 04:01 PM

Tried it out in lab, worked immediately without problems. You might want to troubleshoot the OSPF issue as it would be with any other link. Is the config on the other side compatible (MTU, stub/nssa, etc.).

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.21.11   |  
‎02-21-2011 11:10 AM

This was my error.  I forget that OSPF behaves differently from ScreenOS to JunOS.

 

Thanks for looking into this.

SRX Services Gateway

Re: IPSEC termination from SSG to SRX virtual routing interface

02.22.11   |  
‎02-22-2011 05:25 AM

Hi,

 

good to hear that. Would be great if you could mark your thread as solved so that others are aware of that it is closed.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?