Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration Example: Route-based IPSec VPN with external-interface and st0 in custom routing instance

0

0

Article ID: KB21487 KB Last Updated: 22 Jun 2020Version: 3.0
Summary:
This article provides a sample configuration of terminating route-based IPSec VPN on an external-interface which belongs to a routing instance.
Symptoms:
Unable to terminate an IPSec VPN, when external interface belongs to a routing instance.
Solution:
Junos provides, Starting with 11.1 release, support for Internet Key Exchange (IKE) in multiple virtual routers; this feature is supported on all SRX Series devices.

The remote IKE gateway address can be in any virtual routing (VR) instance. VR is determined during IKE Phase 1 and Phase 2 negotiation. VR does not have to be configured in the IKE proposals. If the IKE gateway interface is moved from one VR to another, the existing IKE Phase 1 and Phase 2 negotiations for the IKE gateway are cleared, and new Phase 1 and Phase 2 negotiations are performed.

Here is a sample configuration of two sites, which are separated by the Internet cloud. At both sites, external-interfaces are in custom routing-instances.

Objective is to establish route-based IPSec VPN between these two sites.
 

Topology

            fe-0/0/0 Green fe-0/0/1 ------Internet Cloud ------fe-0/0/1 Blue fe-0/0/0
192.168.1.0/24      10.1.1.0/30                       2.1.1.0/30      192.168.2.0/24


Green Site Configuration:

Be sure to deactivate or delete them once done with troubleshooting.
    flow {
        traceoptions {
            file st0green;
            flag basic-datapath;
            packet-filter 1 {
                source-prefix 192.168.1.2/32;
                destination-prefix 192.168.2.2/32;
            }
            packet-filter 2 {
                source-prefix 192.168.2.2/32;
                destination-prefix 192.168.1.2/32;
            }
            packet-filter 3 {
                protocol esp;
                source-prefix 10.1.1.1/32;
                destination-prefix 2.1.1.1/32;
            }
            packet-filter 4 {
                protocol esp;
                source-prefix 2.1.1.1/32;
                destination-prefix 10.1.1.1/32;
            }
        }
    }


## Security policies are created in both directions assuming that VPN traffic can be initiated from either site.

    policies {
        from-zone trust to-zone untrust {
            policy t2u {
                match {
                    source-address site1;
                    destination-address site2;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy u2t {
                match {
                    source-address site2;
                    destination-address site1;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address site1 192.168.1.0/24;
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address site2 192.168.2.0/24;
            }
            interfaces {
                fe-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                        }
                    }
                }
                st0.0;
            }
        }
    }
}


## Custom routing-instance configuration, which includes the external-interface and default(static) route towards internet.

routing-instances {
    vpn {
        instance-type virtual-router;
        interface fe-0/0/1.0;
        interface st0.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.1.1.2;
                route 192.168.2.0/24 next-hop st0.0;
            }
        }
    }
}

Blue Site Configuration:

Note: This configuration is completely same as the other site, except for the network numbers.
system {
    host-name Blue;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family inet {
                address 2.1.1.1/30;
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet myrib;
    }
    static {
        route 0.0.0.0/0 next-table vpn.inet.0;
    }
    rib-groups {
        myrib {
            import-rib [ inet.0 vpn.inet.0 ];
        }
    }
}
security {
    ike {
        traceoptions {
            file st0invr;
            flag all;
        }
        policy p1 {
            proposal-set standard;
            pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
        }
        gateway g1 {
            ike-policy p1;
            address 10.1.1.1;
            external-interface fe-0/0/1.0;
        }
    }
    ipsec {
        policy p2 {
            proposal-set standard;
        }
        vpn myvpn {
            bind-interface st0.0;
            ike {
                gateway g1;
                ipsec-policy p2;
            }
            establish-tunnels immediately;
        }
    }
    flow {
        traceoptions {
            file st0customvr;
            flag basic-datapath;
            packet-filter 1 {
                source-prefix 192.168.2.2/32;
                destination-prefix 192.168.1.2/32;
            }
            packet-filter 2 {
                source-prefix 192.168.1.2/32;
                destination-prefix 192.168.2.2/32;
            }
            packet-filter 3 {
                protocol esp;
                source-prefix 10.1.1.1/32;
                destination-prefix 2.1.1.1/32;
            }
            packet-filter 4 {
                protocol esp;
                source-prefix 2.1.1.1/32;
                destination-prefix 10.1.1.1/32;
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy t2u {
                match {
                    source-address site2;
                    destination-address site1;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy u2t {
                match {
                    source-address site1;
                    destination-address site2;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address site2 192.168.2.0/24;
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            address-book {
                address site1 192.168.1.0/24;
            }
            interfaces {
                fe-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                        }
                    }
                }
                st0.0;
            }
        }
    }
}
routing-instances {
    vpn {
        instance-type virtual-router;
        interface fe-0/0/1.0;
        interface st0.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 2.1.1.2;
                route 192.168.1.0/24 next-hop st0.0;
            }
        }
    }
}
 

Verification:

[edit]
root@Green# run show route 

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:29:30
                      to table vpn.inet.0
192.168.1.0/24     *[Direct/0] 00:17:17
                    > via fe-0/0/0.0
192.168.1.1/32     *[Local/0] 00:39:29
                      Local via fe-0/0/0.0

vpn.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:20:04
                    > to 10.1.1.2 via fe-0/0/1.0
10.1.1.0/30       *[Direct/0] 00:20:04
                    > via fe-0/0/1.0
10.1.1.1/32       *[Local/0] 00:20:04
                      Local via fe-0/0/1.0
192.168.1.0/24     *[Direct/0] 00:01:37
                    > via fe-0/0/0.0
192.168.1.1/32     *[Local/0] 00:01:37
                      Local via fe-0/0/0.0
192.168.2.0/24     *[Static/5] 00:09:01
                    > via st0.0

[edit]
root@Blue# run show route | no-more 

inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:31:00
                      to table vpn.inet.0
192.168.2.0/24     *[Direct/0] 00:17:44
                    > via fe-0/0/0.0
192.168.2.1/32     *[Local/0] 00:34:18
                      Local via fe-0/0/0.0

vpn.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:17:42
                    > to 2.1.1.2 via fe-0/0/1.0
192.168.1.0/24     *[Static/5] 00:10:53
                    > via st0.0
192.168.2.0/24     *[Direct/0] 00:04:42
                    > via fe-0/0/0.0
192.168.2.1/32     *[Local/0] 00:04:42
                      Local via fe-0/0/0.0
2.1.1.0/30       *[Direct/0] 00:17:42
                    > via fe-0/0/1.0
2.1.1.1/32       *[Local/0] 00:27:38
                      Local via fe-0/0/1.0
[edit]
root@Green# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
1536113 UP     7f94e844949b71ac  e9a839d437016cea  Main           2.1.1.1       

[edit]
root@Green# 
root@Green# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:3des/sha1 b2f26034 3050/ unlim   -   root 500   2.1.1.1       
  >131073 ESP:3des/sha1 88082e1  3050/ unlim   -   root 500   2.1.1.1       


[edit]
root@Blue# run show security ike security-associations 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
8       UP     7f94e844949b71ac  e9a839d437016cea  Main           10.1.1.1       

[edit]
root@Blue# 
root@Blue# run show security ipsec security-associations 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  <131073 ESP:3des/sha1 88082e1  2941/ unlim   -   root 500   10.1.1.1       
  >131073 ESP:3des/sha1 b2f26034 2941/ unlim   -   root 500   10.1.1.1  
  1. Verify routing table at both sites:
  2. Verify IKE and IPSec Security Association Status at both sites



  3.  
  4.  
Note: If the external interface is in custom routing instance at only one site and the traffic is initiated from the other site, we need to make use of rib-groups to make the internal network available in custom routing instance. Otherwise, the default route in the custom routing instance will match the traffic and incoming interface itself will be chosen as outgoing interface. Security policy lookup will be done within the same zone context and packets will be dropped.

If both of the site's external interfaces are in custom routing instances, then we need to apply rib-groups at both sites, when we need bidirectional communication (traffic initiation from either site). If we need traffic to be initiated from only one site, then rib-group should be applied at the other site.



For more information, refer to:
KB16133 - What is the use of a rib-group and how are they used?
KB21256 - [SRX] Troubleshooting route-lookups in Virtual Routers
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search