I configured 2 ipsec vpn tunnels to AWS. Bofh tunnels are UP, but there's a problem with communicating with hosts in AWS:
After enabling traceoptions I see errors:
CID-1:RT:'external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.
My current configuration indeed put lo0.1 in different routing-instance (vr1) and different security zone (vpn-aws) than ge-5/0/12.0 which is current interface to reaach the Internet on master routing-instance and in untrust zone.
root@SRX1# show security zones security-zone untrust
host-inbound-traffic {
system-services {
ping;
}
protocols {
bgp;
}
}
interfaces {
ge-0/0/12.0;
ge-5/0/12.0;
}
{primary:node0}[edit]
root@SRX1# show security zones security-zone vpn-aws
host-inbound-traffic {
system-services {
ike;
ping;
}
}
interfaces {
st0.2;
st0.1;
lo0.1;
}
root@SRX1# show routing-instances
vr1 {
instance-type virtual-router;
interface lo0.1;
interface st0.1;
interface st0.2;
routing-options {
static {
route 10.1.0.0/16 next-hop [ st0.1 st0.2 ];
}
}
}
I tried to move interface lo0.1 from security-zone vpn-aws to untrust to resolve the issue, but it's not possible:
[edit security zones security-zone untrust]
'interfaces lo0.1'
Interface lo0.1 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed
So I have no idea what to do. I can't have bofh interfaces in different security zones, but in the same time I can't have bofh interfaces in the same security zone because of using different routing instances.