SRX Services Gateway
SRX Services Gateway

Routing Same Network Over VPN Tunnels

‎12-11-2019 09:37 AM

Hi All,

 

I have a customer with a VPN setup to my one site with the termination on my SRX240H2. This is a route based VPN tunnel, and proxy IDs have to be configured on this tunnel. Here is my issue, which would be resolved on newer devices using traffic selectors:

 

I have two subnets that my customer needs access to. These subnets cannot be grouped. My customer has provided a single subnet for access to my site. However, since I need to use proxy id's with these subnets configured, I need to configure two tunnels, each tunnel with the following proxy IDs:

 

Tunnel 1

* customer network, my network A

Tunnel 2

* customer network, my network B 

 

However, because these are route based tunnels, I now have a static route for the customer network pointing to two tunnels. If traffic comes into Tunnel 2, the device may route it back through Tunnel 1. 

 

Is there a way to solve this issue that I'm missing? 

Unfortunately I cannot implement tunnels per routing-instance at this time. 

 

4 REPLIES 4
SRX Services Gateway

Re: Routing Same Network Over VPN Tunnels

‎12-11-2019 09:55 AM
Just a thought (not tested). Configure only one tunnel and as responder(remove establish-tunnel immediately keyword) and configure NO proxy-id. The default proxy-id is 0.0.0.0/0 and vpn should come up. Now configure static route for customer network towards the tunnel.
Please check if possible.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Routing Same Network Over VPN Tunnels

[ Edited ]
‎12-11-2019 09:57 PM

Hello,

 


@tsizzle63 wrote:

 

My customer has provided a single subnet for access to my site. However, since I need to use proxy id's with these subnets configured,


 

Do You mean "provided a single subnet for access FROM my site"? 

 

 


@tsizzle63 wrote:

I need to use proxy id's with these subnets configured, I need to configure two tunnels, each tunnel with the following proxy IDs:

 

Tunnel 1

* customer network, my network A

Tunnel 2

* customer network, my network B 

 

 



If both sides use route-based IPSec VPN, then proxy-ids can be arbitrary. The only restriction is that they must match on both sides. JUNOS route-based VPN does not check if packet-to-be-encrypted matches proxy-id for that tunnel.

 


@tsizzle63 wrote:

because these are route based tunnels, I now have a static route for the customer network pointing to two tunnels. If traffic comes into Tunnel 2, the device may route it back through Tunnel 1. 

 

Is there a way to solve this issue that I'm missing? 

 


 

AFAIK, this is not an issue with SRX route-based VPN. Once valid forward packet comes via Tunnel2, then SRX creates a session that points to Tunnel2 for the return packet, irrespective where the return route points to.

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Routing Same Network Over VPN Tunnels

‎12-11-2019 10:44 PM

Hi,

 

> You do not need to use a proxy-id unless the other end is enforcing the same, perhaps through ACLs etc.

> If you can switch to proxy-id blank (all 0s) it would be the easiest move

> You can always control the traffic using security policies

> The other option is for customer to NAT traffic to two IPs provided by you

> VPN 1: NATIP1 ----> Your subnet A (st0.1)

> VPN 2: NATIP2 ----> Your subnet B (st0.2)

> Route NATIP1 to st0.1 and NATIP2 to st0.2

 

I hope this helps. Regards,

 

Nelumbo

SRX Services Gateway

Re: Routing Same Network Over VPN Tunnels

‎12-12-2019 08:59 AM
Hello Tsizzle63, Since your issue is routing and you can't work with routing-instance , the only route-based solution left is "Traffic Selector". Alternatively, you can configure your side of tunnel to be "Policy Based". Btw, the "traffic-selector" feature was introduced in 12.1X46-D10. I think you can simply upgrade your SRX240H2 to 12.1X46 based release . Thanks!