Knowledge Search


×
 

[J/SRX] Route-based VPN is up, but not passing traffic. Is a route missing?

  [KB10107] Show Article Properties


Summary:

A route-based, site-to-site VPN is up on an SRX or J-Series device, but it is not passing traffic.  A route is needed to reach a remote network through the VPN via a secure tunnel (st0) interface. 


Note:  To confirm whether your VPN is up, consult: KB10090 - How do I tell if a VPN tunnel SA (Security Association) is active on an SRX or J-Series device?.

Symptoms:

The routing table does not have a route to the remote network via the st0 interface.

Goal:
The show route <remote network> output contains a route for the remote network via the correct st0 interface:

root@CorporateOffice > show route 192.168.3.0
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.3.0/24 *[Static/5] 00:00:53
> via
st0.0   <-------------------------------------------

Note: If running dynamic routing protocols, like BGP or OSPF, then investigate why those routing protocols are not the learning the route.

Cause:

Solution:

The example below shows how to add a route to the destination network via the secure tunnel (st0) interface.  

  
Network topology:


Remote office internal network address: 192.168.3.0/24
Corporate office internal network address: 192.168.2.0/24


At the corporate office, a route to the remote network 192.168.3.0/24 needs to be added via the st0 interface.

Step one Locate the correct st0 interface for the VPN:

CLI:
root@CorporateOffice# show security ipsec vpn ike-vpn-remote-office
      vpn ike-vpn-remote-office {
          bind-interface st0.0;  <----------------
          ike {
              gateway gw-remote-office;
              ipsec-policy ipsec-phase2-policy;
          }
      }
    
J-Web:
On the corporate office SRX, navigate to Configure > IPsec VPN > Auto Tunnel > Phase II.  Then locate the associated st0 tunnel in the Bind Interface column.


Step two Add the static route with the next-hop as the st0 interface (st0.0 for this example) to route the packets destined for network 192.168.3.0/24 via the VPN:

CLI:
root@CorporateOffice# set routing-options static route 192.168.3.0/24 next-hop st0.0

J-Web:

  1. On Corporate office SRX, navigate to Configure > Routing > Static Routing
  2. If no route is shown with next-hop as the st0 interface, then click Add...
  3. Enter the information below:
      Static Route Address: 192.168.3.0/24
      Below Next-Hop Addresses and next to the Add button, enter: st0.0
      Then click the Add button to populate the Next-Hop Addresses field.
  4. Click OK.

Related Links: