SRX

Expand all | Collapse all

SRX IPSec VPN dual ISP including a default route for inet.0

Jump to Best Answer
  • 1.  SRX IPSec VPN dual ISP including a default route for inet.0

    Posted 03-03-2019 06:08

    HI All,

     

    Bit stuck here... so i have followed https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227 which works great...

     

     

    Though now both the ISP facing interfaces tied to a virtual-router type routing-instance, I want to have a default route on SRX-1 within the global routing table for internet breakout... So i need to leak out the default routes from the virtual-routers to the global routing table... though it looks like you can only do with a vrf type routing-instance..?

     

    So has anyone managed to import a route from virtual-router.inet.0 to inet.0 ... ? As currenlty i can't see an option... 



  • 2.  RE: SRX IPSec VPN dual ISP including a default route for inet.0
    Best Answer

     
    Posted 03-03-2019 08:56

    Hi test20001,

     

    Looks like instance-import works:

    set policy-options policy-statement from_VR_to_inet term term1 from instance VR
    set policy-options policy-statement from_VR_to_inet term term1 then accept
    set routing-options instance-import from_VR_to_inet

     

    Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB16453

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

     



  • 3.  RE: SRX IPSec VPN dual ISP including a default route for inet.0

    Posted 03-05-2019 06:20

     

    Gone with solution which works really well; I basically move routes from two VRs to inet and some from inet to the VRs;

     

    don't forget the deny-all at the end!

     

    config below;


    set routing-options instance-import from_VRs_to_inet
    set policy-options policy-statement from_VRs_to_inet term import-isp from instance BT-EXT
    set policy-options policy-statement from_VRs_to_inet term import-isp from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement from_VRs_to_inet term import-isp from route-filter 19.x.x.248/29 orlonger
    set policy-options policy-statement from_VRs_to_inet term import-isp then accept
    set policy-options policy-statement from_VRs_to_inet term import-isp2 from instance VM-EXT
    set policy-options policy-statement from_VRs_to_inet term import-isp2 from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement from_VRs_to_inet term import-isp2 from route-filter 21.x.x.80/28 orlonger
    set policy-options policy-statement from_VRs_to_inet term import-isp2 then preference 10
    set policy-options policy-statement from_VRs_to_inet term import-isp2 then accept
    set policy-options policy-statement from_VRs_to_inet term deny-all then reject
    set policy-options policy-statement from_inet_to_VRs term import-inet from instance master
    set policy-options policy-statement from_inet_to_VRs term import-inet from route-filter 192.168.1.0/24 orlonger
    set policy-options policy-statement from_inet_to_VRs term import-inet from route-filter 0.0.0.0/0 exact
    set policy-options policy-statement from_inet_to_VRs term import-inet then accept
    set policy-options policy-statement from_inet_to_VRs term deny-all then reject

    set routing-instances BT-EXT routing-options instance-import from_inet_to_VRs
    set routing-instances VM-EXT routing-options instance-import from_inet_to_VRs

     



  • 4.  RE: SRX IPSec VPN dual ISP including a default route for inet.0

     
    Posted 03-03-2019 09:17

    I prefer to use the logical tunnel pair of interfaces in this scenario.  It creates a virtual interface pair where one side is in your inet.0 routing instance and the other in your isp routing istance. 

     

    You can then assign these to the desired zones and make a bgp peer across this virtual internal link.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21260

     



  • 5.  RE: SRX IPSec VPN dual ISP including a default route for inet.0

    Posted 03-03-2019 12:23

    thanks guys.. seem like two good options, will give them a go... will let you know how i get on