Knowledge Search


×
 

[Junos Platform] Conditional static routes based on IPsec tunnel state

  [KB34721] Show Article Properties


Summary:

In next-hop style IPsec configuration, static routes are configured to point the inside-service-interface for traffic that needs to be encrypted.

This article details the configuration steps to have these static routes active only when the IPsec tunnel is up.

In this article, a solution is provided for the following scenarios:

  • Scenario 1: To have an alternative route when the IPsec tunnel goes down. The alternative route can be another IPsec tunnel or a regular IP route.

  • Scenario 2: To discard packets aimed for encryption at the Packet Forwarding Engine (PFE) itself whenever the IPsec tunnel goes down

Solution:

The following configuration steps enable the inside-service-interface to be up only when IPsec Security Associations (SA) are formed with the peer and have matured. In the event that Dead Peer Detection is configured, the IPsec SAs would be brought down if the peer is detected as dead.

  1. Configure Dead Peer Detection.

Note: The following interval and threshold must be tuned based on network delays and a peer's worst case response time to the peer.

set services ipsec-vpn rule IPsec-rule term 1 then initiate-dead-peer-detection
set services ipsec-vpn rule IPsec-rule term 1 then dead-peer-detection interval 3
set services ipsec-vpn rule IPsec-rule term 1 then dead-peer-detection threshold 3
  1. Configure ipsec-inside-interface under the respective IPsec rule. 

set services ipsec-vpn rule IPsec-rule term 1 from ipsec-inside-interface <inside-service-interface>
  1. Configure a static route to point the IPsec tunnel's inside-service-interface for the traffic that requires to be encrypted. See Example: Configuring Junos VPN Site Secure on MS-MIC and MS-MPC.

If an alternative route is needed, which can be used when the IPsec tunnel goes down, a qualified next-hop can be configured.

set routing-options static route <ip> next-hop <inside-service-interface>

Scenario 1: 

  • The alternative route can be an another IPsec tunnel:

set routing-options static route <ip>   qualified-next-hop <inside-service-interface of the alternate IPsec tunnel> preference 100
  • Or an alternative route through a regular IP route:

set routing-options static route <ip>   qualified-next-hop <destination-ip> preference 100

Scenario 2: If no alternative route is needed, do not configure a qualified next-hop route, which results in packets aimed for encryption being discarded at the PFE itself whenever the IPsec tunnel goes down.

Related Links: