SRX

Expand all | Collapse all

Route based VPNs have disappearing static routes when IKE/VPN activate

Jump to Best Answer
  • 1.  Route based VPNs have disappearing static routes when IKE/VPN activate

    Posted 05-30-2018 07:37

    SRX 345 running JUNOS 15.1X49-D130.6

    New system with two route-based VPNs configured. The static routes disappear when IKE / IPSec are active. When IKE / IPSec are deactivated the static routes disappear.

     

    Here are the route statements:

    set routing-options static route 0.0.0.0/0 next-hop 99.99.99.150
    set routing-options static route 90.90.90.40/32 next-hop st0.5555

     

    Show routes:

    superit@my345srx> show route 90.90.90.40

    inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 1w3d 20:35:39
    > to 99.99.99.150 via ge-0/0/7.0 < - - - WRONG

    superit@my345srx> edit
    Entering configuration mode

    [edit]
    superit@my345srx# deactivate security ipsec vpn ipsec-vpn-system

    [edit]
    superit@my345srx# deactivate security ike gateway ike-gw-system

    [edit]
    superit@my345srx# commit
    commit complete

    [edit]
    superit@my345srx# exit
    Exiting configuration mode

    superit@my345srx> show route 90.90.90.40

    inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    90.90.90.40/32 *[Static/5] 00:02:15
    > via st0.5555 < - - - CORRECT WHILE IKE AND IPSEC VPN DEACTIVATED.

    superit@my345srx> edit
    Entering configuration mode

    [edit]
    superit@my345srx# activate security ike gateway ike-gw-system

    [edit]
    superit@my345srx# activate security ipsec vpn ipsec-vpn-system

    [edit]
    superit@my345srx# commit
    commit complete

    [edit]
    superit@my345srx# exit
    Exiting configuration mode

    superit@my345srx> show route 90.90.90.40 < - - - THIS COMMAND WAS RUN WITHIN A FEW SECONDS of EXITING CONFIG MODE.

    inet.0: 25 destinations, 25 routes (25 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    90.90.90.40/32 *[Static/5] 00:03:43
    > via st0.5555 < - - - CORRECT

    superit@my345srx>

    superit@my345srx> show route 90.90.90.40 < - - - THIS COMMAND WAS RUN ABOUT 20 to 30 SECONDS AFTER LAST COMMNAD. THE ROUTE CHANGED!

    inet.0: 24 destinations, 24 routes (24 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 1w3d 20:53:29
    > to 99.99.99.150 via ge-0/0/7.0 < - - - WRONG



  • 2.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate

     
    Posted 05-31-2018 03:29

    The route will be active as long as the tunnel interface next hop is up.  Typically this is all the time regardless of the vpn status.  But this can be overridden with RPM test probes to down the st0 interface when the tunnel is down.  I suspect that may be configured on your device.

     

    Look for configuration under:

    services > rpm

    services > ip-monitoring

     



  • 3.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate

    Posted 05-31-2018 07:30

    I don't see anything configured.

     

    superit@my345srx> show services rpm ?
    Possible completions:
    active-servers Show configured servers
    history-results Show history results
    probe-results Show probe results
    twamp Show TWAMP information

    superit@my345srx> show services rpm active-servers

    superit@my345srx> show services rpm history-results

    superit@my345srx> show services rpm probe-results

    superit@my345srx> show services rpm twamp server

    superit@my345srx> show services rpm twamp client

    superit@my345srx> show service ip-monitoring status

    superit@my345srx> show configuration | display set | match rpm

    superit@my345srx> show configuration | display set | match ip-monitoring

    superit@my345srx>



  • 4.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate
    Best Answer

     
    Posted 06-01-2018 06:54

    Have you maybe configured traffic selectors? If yes then please delete static route as it is added automatically.

    Can you share vpn part of the config?

     

    Regards, Wojtek



  • 5.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate

    Posted 06-01-2018 09:26

    Yes, I obfuscated some of the data. I included the only two VPNs I have setup.

     

    Routes are using default route (which is incorrect):

    superit@my345srx> show route 66.n.n.n

    inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 1w6d 13:46:30
    > to 45.z.z.z via ge-0/0/7.0

    superit@my345srx> show route 10.y.y.y

    inet.0: 22 destinations, 22 routes (22 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 1w6d 13:47:06
    > to 45.z.z.z via ge-0/0/7.0

    ## Interface assignments:
    set interfaces ge-0/0/6 unit 0 family inet address 45.z.z.z-4/30
    set interfaces ge-0/0/7 unit 0 family inet address 45.z.z.z-1/30
    set interfaces st0 unit 1 family inet
    set interfaces st0 unit 5555 family inet

    ## First VPN:

    set security zones security-zone vpn-sec-zone interfaces st0.1

    set routing-options static route 66.n.n.n/32 next-hop st0.1
    set routing-options static route 66.n.n.n+1/32 next-hop st0.1

    ## Proposals
    set security ike proposal ike-proposal-robot authentication-method pre-shared-keys
    set security ike proposal ike-proposal-robot dh-group group2
    set security ike proposal ike-proposal-robot authentication-algorithm sha1
    set security ike proposal ike-proposal-robot encryption-algorithm 3des-cbc
    set security ike proposal ike-proposal-robot lifetime-seconds 86400
    set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs protocol esp
    set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs authentication-algorithm hmac-sha1-96
    set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs encryption-algorithm 3des-cbc
    set security ipsec proposal 3des-cbc-hmac-sha1-96-nopfs lifetime-seconds 86400


    ## Phase I
    set security ike policy ike-policy-robot mode main
    set security ike policy ike-policy-robot proposals ike-proposal-robot
    set security ike policy ike-policy-robot pre-shared-key ascii-text "password-removed"
    set security ike gateway ike-gateway-robot ike-policy ike-policy-robot
    set security ike gateway ike-gateway-robot address 66.n.c.c
    set security ike gateway ike-gateway-robot external-interface ge-0/0/7
    set security ike gateway ike-gateway-robot version v1-only

    ## Phase II
    set security ipsec policy ipsec-policy-robot proposals 3des-cbc-hmac-sha1-96-nopfs
    set security ipsec vpn ipsec-vpn-robot-cfg bind-interface st0.1
    set security ipsec vpn ipsec-vpn-robot-cfg vpn-monitor optimized
    set security ipsec vpn ipsec-vpn-robot-cfg ike gateway ike-gateway-robot
    set security ipsec vpn ipsec-vpn-robot-cfg ike ipsec-policy ipsec-policy-robot
    set security ipsec vpn ipsec-vpn-robot-cfg establish-tunnels immediately

    # Address book entries

    set security address-book global address xmen-lab 45.e.e.e/32
    set security address-book global address robot-0 66.n.n.n/32
    set security address-book global address robot-1 66.n.n.n+1/32

    ## Policy-Inbound
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match source-address xmen-lab
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address robot-0
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address robot-1
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match application any
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy then permit
    ## Policy-Outbound
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address robot-0
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address robot-1
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match destination-address xmen-lab
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match application any
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy then permit

    ## Second VPN

    set security zones security-zone vpn-sec-zone interfaces st0.5555
    set routing-options static route 10.y.y.y/32 next-hop st0.5555

    ## Proposals
    set security ike proposal ike-pro-dhg5-sha256-aes256 authentication-method pre-shared-keys
    set security ike proposal ike-pro-dhg5-sha256-aes256 dh-group group5
    set security ike proposal ike-pro-dhg5-sha256-aes256 authentication-algorithm sha-256
    set security ike proposal ike-pro-dhg5-sha256-aes256 encryption-algorithm aes-256-cbc
    set security ike proposal ike-pro-dhg5-sha256-aes256 lifetime-seconds 86400

    set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs protocol esp
    set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs authentication-algorithm hmac-sha1-96
    set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs encryption-algorithm aes-256-cbc
    set security ipsec proposal ipsecpro-sha1-96-aes256-nopfs lifetime-seconds 86400


    ## Phase I
    set security ike policy ike-pol-x-robot mode main
    set security ike policy ike-pol-x-robot proposals ike-pro-dhg5-sha256-aes256
    set security ike policy ike-pol-x-robot pre-shared-key ascii-text "password-removed"
    set security ike gateway ike-gw-x-robot ike-policy ike-pol-x-robot
    set security ike gateway ike-gw-x-robot address 208.a.a.a
    set security ike gateway ike-gw-x-robot external-interface ge-0/0/7


    ## Phase II
    set security ipsec vpn-monitor-options interval 10
    set security ipsec vpn-monitor-options threshold 10
    set security ipsec policy ipsec-policy-x-robot proposals ipsecpro-sha1-96-aes256-nopfs
    set security ipsec vpn ipsec-vpn-x-robot bind-interface st0.5555
    set security ipsec vpn ipsec-vpn-x-robot vpn-monitor optimized
    set security ipsec vpn ipsec-vpn-x-robot ike gateway ike-gw-x-robot
    set security ipsec vpn ipsec-vpn-x-robot ike ipsec-policy ipsec-policy-x-robot
    set security ipsec vpn ipsec-vpn-x-robot establish-tunnels immediately

    ## Address book
    set security address-book global address xmen-lab 45.e.e.e/32
    set security address-book global address x-robot-system 10.y.y.y/32


    ## Policy
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match source-address xmen-lab
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match destination-address x-robot-system
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy match application any
    set security policies from-zone trust to-zone vpn-sec-zone policy trust-vpn-sec-zone-policy then permit

    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match source-address x-robot-system
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match destination-address xmen-lab
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy match application any
    set security policies from-zone vpn-sec-zone to-zone trust policy vpn-sec-zone-trust-policy then permit



  • 6.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate

    Posted 06-09-2018 13:40

    I opened ticket with JTAC and they got me going. We removed vpn-monitor then added proxy-id for one VPN and traffic selector for second VPN. My static routes now appear correctly and VPNs are working.

     

    Thanks for all the assistance.



  • 7.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate

     
    Posted 06-02-2018 06:10

    What is the interface status of the tunnel st0.5555 when the route is withdrawn?

    And the extensive output of that interface?

     

    Typically I would expect the tunnel interface to be down for some reason for the route not to install.  The key will be finding out why the interface goes down.

     

    Look for log messages about the interface too.

     



  • 8.  RE: Route based VPNs have disappearing static routes when IKE/VPN activate

     
    Posted 06-04-2018 20:15

    Do you see this happening even when you have traffic flowing via the VPN?

     

    Anand