SRX

Expand all | Collapse all

Routing and IPSec in separate routing-instances

Jump to Best Answer
  • 1.  Routing and IPSec in separate routing-instances

    Posted 06-16-2014 17:05

    Hello !  

    I have compiled and configured such  routed-based IPSec. I must say that it is non-standard solution. I have not found a similar in WWW. But I want to know your opinion about this.

     

    here my goal is:

    - To separate the routing and ipsec with different routing-instances.  Here routing-instance INET.inet.0 does not know any about network 30.1.1.0/24. 

    -Link physically connect to INET , vpn interface st0.0 belongs to Gn routing-instance. Gn.inet.0 has route to 30.1.1.0/24( direct).

     

    ICMP packets from source 7.7.7.1 to destination 30.1.1.1 sent and recieved successfully.

    Show security ike/ipsec security-associatons outputs say that ike and ipsec is UP.

     

    My question:  is scheme correct from the point of view of common sense ?

     

    Scan 001.jpg

     

     



  • 2.  RE: Routing and IPSec in separate routing-instances
    Best Answer

     
    Posted 06-16-2014 17:13

    This is a good solution to getting routing separation for a vpn connected subnet. this allows the vpn subnet to have a default route for all traffic up the vpn tunnel or even be an isolated segment with limited routing available outside the network.

     

    You'll find the same basic setup in the Day One: Juniper Ambassadors Cookbook for the Enterprise Recipe 5.

     

    http://forums.juniper.net/t5/Day-One-Books/Day-One-Juniper-Ambassadors-Cookbook-for-Enterprise/ba-p/198733



  • 3.  RE: Routing and IPSec in separate routing-instances

    Posted 06-16-2014 17:18

    Thank you very much! Not the first time helping me!



  • 4.  RE: Routing and IPSec in separate routing-instances

    Posted 06-17-2014 04:32

    Steve, hello! can i use this scheme with gre interface. ( no ipsec). Only GRE. routing and tunnel separated ?



  • 5.  RE: Routing and IPSec in separate routing-instances

     
    Posted 06-17-2014 13:45

    Yes, the same concept can apply to any tunnel connection.

     

    See KB24592 for the gre example.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB24592



  • 6.  RE: Routing and IPSec in separate routing-instances

    Posted 09-13-2018 14:39

    Hi Steve,

     

    Recipe 5 has the VPN tunnel setup for routing in inet.0.  How can this be setup in a VR?  In other words, have a VR for tunnel setup with the resulting st0 interface in another VR.

     

    I wan't to do this to segregate management traffic in inet.0 from everything else.

     

    Thanks in advance



  • 7.  RE: Routing and IPSec in separate routing-instances

     
    Posted 09-13-2018 14:58

    The only changes you would need to make to the setup would be those for the ISP and associated interface.

     

    • Create a second virtual router routing instance.
    • Place the external ISP interface into this routing instance
    • Move that ISP default route from the main routing-options into the vr routing-options

    This will isolate the ISP and gateway interface into their own vr and routing table as well.

     



  • 8.  RE: Routing and IPSec in separate routing-instances

    Posted 09-13-2018 15:09

    Thanks for the reply.  That's what I have setup, st0.x IFL shows up but don't have connectivity across.  policies are wide open at this point and all host-inbound allowed.

     

    hmm



  • 9.  RE: Routing and IPSec in separate routing-instances

     
    Posted 09-13-2018 15:19

    Check the ike and vpn status to confirm the tunnel has come up first.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10100

     

    If the vpn is up, check the route into the tunnel is active for the vpn traffic

    show route table vrname.inet.0

     

    And look for sessions created for the traffic.

    show security flow session source-prefix 192.168.1.20