Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Route-based VPN is up, but not passing traffic. Is a route missing?

0

0

Article ID: KB10107 KB Last Updated: 06 May 2021Version: 7.0
Summary:
 

A route-based, site-to-site VPN is up on an SRX device, but it is not passing traffic. A route is needed to reach a remote network through the VPN via a secure tunnel (st0) interface.

Note: To confirm whether your VPN is up, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active.

 

Symptoms:
 

The routing table does not have a route to the remote network via the st0 interface.

Goal

The show route <remote network> output contains a route for the remote network via the correct st0 interface:

root@CorporateOffice > show route 192.168.3.0
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.3.0/24 *[Static/5] 00:00:53
> via st0.0   <-------------------------------------------

Note: If you are using dynamic routing protocols, such as BGP or OSPF, then investigate why those routing protocols are not learning the route.

 

Solution:
 

The example below shows how to add a route to the destination network via the secure tunnel (st0) interface.

 

Network Topology

 
  • Remote Office internal network address: 192.168.3.0/24

  • Corporate Office internal network address: 192.168.2.0/24

 

At the Corporate Office, a route to the remote network 192.168.3.0/24 needs to be added via the st0 interface.

  1. Locate the correct st0 interface for the VPN:

CLI

root@CorporateOffice# show security ipsec vpn ike-vpn-remote-office

vpn ike-vpn-remote-office {
    bind-interface st0.0;  <----------------
    ike {
        gateway gw-remote-office;
        ipsec-policy ipsec-phase2-policy;
    }
}   

J-Web

In the Corporate Office SRX device, navigate to Configure > Security Services > IPsec VPN > IPsec Phase II. Then locate the associated st0 tunnel in the Bind Interface column.

  1. Add the static route with the next-hop as the st0 interface (st0.0 for this example) to route the packets destined for network 192.168.3.0/24 via the VPN:

CLI

root@CorporateOffice# set routing-options static route 192.168.3.0/24 next-hop st0.0

J-Web

  1. In the Corporate Office SRX device, navigate to Configure > Network > Routing > Static Routing.

  2. If no route is shown with the next-hop as the st0 interface, then click Add.

  3. Enter the information below:

  • Static Route Address: 192.168.3.0/24

  • Below Next-Hop Addresses and next to the Add button, select interface name and choose st0.0 (you can type the interface name if it does not show st0).

  • Click OK to populate the Next-Hop Addresses field.

  1. Click Commit.

 

Modification History:
 
  • 2020-06-29: Removed reference to J-Series

  • 2021-05-06: J-Web instructions updated to indicate current UI navigation; other minor changes made to make article accurate and valid

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search