SRX Services Gateway
Highlighted
SRX Services Gateway

Route based and policy based VPN over same vSRX devices

[ Edited ]
‎08-29-2018 04:01 PM

Hello

I am quite new to FW and after I've learned some basics about JunOS and SRX I am trying to configure some VPNs.

For the moment using this route based VPN KB i have managed to bring up the VPN between LAN10 host and LAN50 host, next i want to configure a policy based VPN between LAN60 host and LAN20 host following this policy based VPN KB.

If can you advise me on how to approach this because right now for me policy VPN is quite messy :).

I am working in EVE-NG with virtual devices.

 Edit: dunno why i cannot upload picture, so here is my topology

Thank you.

Attachments

5 REPLIES 5
Highlighted
SRX Services Gateway

Re: Route based and policy based VPN over same vSRX devices

‎08-29-2018 04:30 PM

Thanks for the diagram it makes it clearer what is going on.

 

I don't think you will be able to do a mix of route and policy vpn in this topology.  Your two SRX are connecting vpn on the same gateway so the ike gateway session will be shared and this is really just one vpn with two subnets behind each SRX.

 

You will need to remove the route based vpn and replace it with the policy version.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Route based and policy based VPN over same vSRX devices

[ Edited ]
‎08-29-2018 04:59 PM

Thanks for reply Steve.

As i use the VMX as bridge between SRX this can be sorted out if i connect another VMX on a free SRX interface.

Maybe this sounds better, is it possible to configure router based and policy based vpn over the same interface, idk using st0.1 st0.2 ?

 

 

Highlighted
SRX Services Gateway

Re: Route based and policy based VPN over same vSRX devices

‎08-29-2018 05:13 PM

Sounds right, basically each pair of gateways are a single vpn.

 

So if you have SRXA-ge-0/0/0 to SRXB ge-0/0/0 route based

You could have SRXA ge-0/0/1 to SRXB ge-0/0/0 policy based

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Route based and policy based VPN over same vSRX devices

‎08-29-2018 05:35 PM

Thanks for your responsiveness, this means ill have to configure new external interfaces.

I will check it tomorrow but still i think it should be possible to configure multiple vpns on same interface.

It's too late for me and i need some sleep.

Have a great day and thank you again :).

 

Highlighted
SRX Services Gateway

Re: Route based and policy based VPN over same vSRX devices

‎08-30-2018 02:11 AM

Sorry for the lack clarity.

 

You CAN have multiple VPN on the same interface.

You CANNOT have multiple VPN between the same PAIR of interfaces.

The tunnel encryption setup is by unique PAIRS.

 

So in the example above you only need to add one interface to one SRX to get a second tunnel going.

The SAME ge-0/0/0 is used on one SRX and different interfaces on the second SRX.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback