Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure an IP-IP tunnel on an SRX device

0

0

Article ID: KB23986 KB Last Updated: 04 Mar 2017Version: 3.0
Summary:

This article provides a method to configure an IP-IP tunnel on SRX.

Symptoms:

How to configure an IP-IP tunnel on SRX.

Cause:

Solution:

IP-IP tunneling is a method by which an IP datagram is encapsulated within an IP datagram. This is a method to establish communication between two networks, which otherwise would not be able to communicate.

  1. Configure an IP tunnel interface. In the following example, 1.1.1.1/30 is the IP address of the IP tunnel interface and 10.1.1.1 and 10.1.2.2 are the end points of the tunnel.
    root@PR-PRO-MDC-SRX02# show interfaces
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    ip-0/0/0 {
        unit 0 {
            tunnel {
                source 10.1.1.1;
                destination 10.1.2.2;
            }
    family inet {
        address 1.1.1.1/30;
    }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }

  2. Bind the ip-0/0/0 interface to a security zone:
    root@PR-PRO-MDC-SRX02# show security zones security-zone untrust
    host-inbound-traffic {
        system-services {
            all;
        }
    protocols {
        all;
    }
    }
    interfaces {
        ge-0/0/0.0;
        ip-0/0/0.0;
    }

  3. Configure a route to the remote network. In this example, 192.168.2.0/24 is the remote network.
    [edit routing-options]
    root@PR-PRO-MDC-SRX02# show
    static {
        route 0.0.0.0/0 next-hop 10.1.2.2;
        route 192.168.2.0/24 next-hop ip-0/0/0.0;
    }
  4. Ensure that the appropriate security policies are in place for the traffic to successfully flow.
Note the following packet capture. It shows that an IP datagram (with source as 192.168.2.1 and destination as 192.168.1.1) is encapsulated within an IP datagram (with source as 10.1.2.2 and destination as 10.1.1.1).



Note: Currently IP-IP tunnel in chassis cluster is not supported for branch SRX devices and J-series devices. In case the support is required in Chassis Cluster, please raise an Enhancement Request (ER) by contacting the SE.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search