SRX

Expand all | Collapse all

Once peer to multiple peers VPN for route-based VPN

Jump to Best Answer
  • 1.  Once peer to multiple peers VPN for route-based VPN

    Posted 11-23-2018 19:52

    I read about st0 interfaces for VPN and got a question.
    Is it possible to setup multiple numbered interfaces st0.1, st0.2, 3, 4, 5 (without IPs) on my single peer for route-based VPN tunnels that will go to the 5 different remote VPN peers? Let's say remote LANs that will be reached via tunnels do not overlap and the proper security polices are in place. Are there any other issues to consider?
    Is it possible to ping remote network using st0.x as a source interface?

     

    Thank you.

     



  • 2.  RE: Once peer to multiple peers VPN for route-based VPN

     
    Posted 11-24-2018 08:08

    you can have tunnel interfaces without ipv4 addresses.

     

    You can have multiple interfaces and one per tunnel.

     

    But if the st0 interface has no ip address you won't be able to use it as the source for a ping as it won't have an address.

     



  • 3.  RE: Once peer to multiple peers VPN for route-based VPN

    Posted 11-25-2018 14:43

    Steve, thanks! This helps me to understand this better.
    As per IPs assigned to st0s those can be pretty much any IP addresses as long as they are different?
    So st0.1 can be c.c.c.c/24 and st0.2 can be d.d.d.d/16?  Or am I wrong and those IPs have to follow specific rules?



  • 4.  RE: Once peer to multiple peers VPN for route-based VPN
    Best Answer

     
    Posted 11-25-2018 16:15

    Think of these st0 interfaces as virtual tunnel interfaces.  There are some basic scenarios.

     

    One side is the SRX with route based tunnel and st0 interface and the other side only supports regular policy based IPSEC.  In these cases the tunnel interface ip address has no meaning or use.  It can exist or not as an option.

     

    When both sides are SRX or another device with a tunnel interface the best scenario is to treat them as a virtual network link.  They should each have an ip address in the same subnet. 

     

    So on point to point tunnels assign a /31 or /30 range and put one address on each side of the link just as if it were connected routers.  These interfaces can run OSPF neighbors or be a BGP link between the sites.

     

    On a point to multi-point tunnel you can assign a subnet big enough for all the sites connecting and each tunnel interface gets an ip address in the range.  If you use OSPF neighbors on these interfaces the SRX will automatically add the NHTB routes (next hop tunnel binding) for all sites to see each other with no static routes needing to be created.

     

    If you are just using static routes to tunnels on a point to point system with SRX ip addresses can be omitted and are optional.

     



  • 5.  RE: Once peer to multiple peers VPN for route-based VPN

    Posted 11-26-2018 05:50

    Thank you, Steve! Now I get it!
    I can't begin to thank you for all of your help! Woman Happy



  • 6.  RE: Once peer to multiple peers VPN for route-based VPN

    Posted 11-27-2018 16:43

    Scenario: In the route-based VPN with st0.4

     

    For this setup with 

    ike proxy-identity local a.a.a.a/24 remote b.b.b.b/24

    it works.

     

    What if my proxy-identity local a.a.a.a/24 stays the same but I need to add an additional remote c.c.c.c/24 into the same tunnel? How can I accomplish this so the same tunnel with st0.4 now will lead to two remote networks instead of just one?

    I do not think just adding these two lines would work:

     

    set security ipsec vpn myVPN ike proxy-identity local a.a.a.a/24 remote c.c.c.c/24...
    set security ipsec vpn myVPN ike proxy-identity local a.a.a.a/24 remote b.b.b.b/24...

     

     



  • 7.  RE: Once peer to multiple peers VPN for route-based VPN

     
    Posted 11-27-2018 16:50

    The proxy-id feature only allows a single pair of networks to be created.

    The networks are always added in pairs - local network connecting to remote network.

     

    When you need multiple pairs, you will need to use the traffic selector option.  this is a configuration example from the kb archive.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

     

     

     



  • 8.  RE: Once peer to multiple peers VPN for route-based VPN

    Posted 11-27-2018 17:59

     

     

    given example below (old config):

    proposal myproposal {
    authentication-method pre-shared-keys;
    dh-group groupx;
    authentication-algorithm sha...;
    encryption-algorithm ...;
    lifetime-seconds ...;
    }
    policy myikepolicy {
    mode main;
    proposals myproposal;
    pre-shared-key ascii-text "...; ## SECRET-DATA
    }
    gateway gateway1 {
    ike-policy myikepolicy;
    address W.W.W.W;
    dead-peer-detection {
    always-send;
    interval x;
    threshold x;
    }
    local-identity inet Q.Q.Q.Q;
    remote-identity inet W.W.W.W;
    external-interface ge-0/0/1.0;
    
    proposal myproposal1 {
    protocol esp;
    authentication-algorithm ...;
    encryption-algorithm ...;
    lifetime-seconds ...;
    }
    policy myipsecpolicy1 {
    perfect-forward-secrecy {
    keys groupx;
    }
    proposals myproposal1;
    }
    vpn MyVPN {
    bind-interface st0.4;
    ike {
    gateway gateway1;
    proxy-identity {
    local a.a.a.a/24;
    remote b.b.b.b/24;
    service any;
    }
    ipsec-policy myipsecpolicy1;
    }
    establish-tunnels immediately;

    I will need to do this:

     

    Leave st0.4 in the zone untrust as it was.

    But delete this:

    routing-options static route b.b.b.b/24 next-hop st0.4
    security ipsec vpn MyVPN ike proxy-identity local a.a.a.a/24 remote b.b.b.b/24 service any

    And just add this:

    set security ipsec vpn MyVPN traffic-selector t1 local-ip a.a.a.a/24
    set security ipsec vpn MyVPN traffic-selector t1 remote-ip b.b.b.b/24
    set security ipsec vpn MyVPN traffic-selector t2 local-ip a.a.a.a/24
    set security ipsec vpn MyVPN traffic-selector t2 remote-ip c.c.c.c/24

    Where does service any go in here?

    Or am I missing something else here? Woman Indifferent



  • 9.  RE: Once peer to multiple peers VPN for route-based VPN

     
    Posted 11-28-2018 03:18

    Looks correct, the service any is not explicit in the traffic selector configuration.  And the static routes are generated by the config as well so no longer need to be explicit.