SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Next Hop Tunnel Binding IPSEC VPN

    Posted 09-09-2009 19:59

    I am attemptingto setup multiple ipsec vpn's on a single, unnumbered tunnel interface (st0.0) with next-hop-tunnel binding.  I have the following:

     

     

    set interfaces st0.0 multipoint

    set interfaces st0.0 family inet next-hop-tunnel X.X.X.X ipsec-vpn ipsec-vpn-X

     

    set routing-options static route Y.Y.Y.Y/24 next-hop st0.0

    set routing-options static route Z.Z.Z.Z/24 next-hop st0.0

     

    set security ipsec policy ipsec-policy-X proposal-set standard

    set security ipsec vpn ipsec-vpn-X bind-interface st0.0

    set security ipsec vpn ipsec-vpn-X ike gateway ike-gate-X ipsec-policy ipsec-policy-X

    set security ipsec vpn ipsec-vpn-X establish-tunnels immediately

     

    set security ike policy ike-policy-X mode main

    set security ike policy ike-policy-X proposal-set standard

    set security ike policy ike-policy-X  pre-shared-key ascii-test xxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    set security ike gateway ike-gate-X ike-policy ike-policy-X
    set security ike gateway ike-gate-X address X.X.X.X
    set security ike gateway ike-gate-X external-interface ge-0/0/0

    This doesn't work currenly, but as soon as I take out the next hop, multipoint, and st0.0 interface binding on the other ipsec vpn, it works.  The vpn gets created (the establish-tunnels immediately takes care of this i assume), but no traffic will flow until i do the former. 

     

    I have done similar setups in screenos, but this doesn't appear to work in junos at least with unnumbered tunnel interfaces.  Any ideas?  Do i need to have an ip address on the tunnel interfaces? Should I just use another tunnel interface?  I'd rather do neither.



  • 2.  RE: Next Hop Tunnel Binding IPSEC VPN
    Best Answer

    Posted 09-10-2009 03:22
    When you use ScreenOS and NHTB you have to set outgonig interface and the next-hop ip in the route. The next-hop ip must mach the ip in NHTB table to select the correct VPN. In JUNOS I didn't see yet a way to select st0.x and a nexthop IP in setting a static route. So just try set adress on the interface and route to the IP instead of the interface and it should work.


  • 3.  RE: Next Hop Tunnel Binding IPSEC VPN

    Posted 09-10-2009 13:08

    Have you tried using the remote sides st0.0 IP address instead of st0.0 - This is an accepted configuration. I have used this in single vpn setup - not tried it in multi-site as you are doing but I would say "give it a shot!"

     



  • 4.  RE: Next Hop Tunnel Binding IPSEC VPN

    Posted 09-10-2009 20:42
    have you tried qualified routes


  • 5.  RE: Next Hop Tunnel Binding IPSEC VPN

    Posted 09-14-2009 14:46

    Kevin

     

    I wanted to do this without numbering the tunnel interfaces, but it appears that in order to use next-hop-tunneling, that is what needs to be done. 


    #tunnels
    #IPSec
    #multiple