SRX

I configured 2 ipsec vpn tunnels to AWS. Bofh tunnels are UP, but there's a problem with communicating with hosts in AWS:

After enabling traceoptions I see errors:

CID-1:RT:'external-interface'(lo0.1) and 'routing-interface'(ge-5/0/12.0) belong to different zones. Re-route failed, pkt dropped.

My current configuration indeed put lo0.1 in different routing-instance (vr1) and different security zone (vpn-aws) than ge-5/0/12.0 which is current interface to reaach the Internet on master routing-instance and in untrust zone.

root@SRX1# show security zones security-zone untrust    
host-inbound-traffic {
    system-services {
        ping;
    }
    protocols {
        bgp;
    }
}
interfaces {
    ge-0/0/12.0;
    ge-5/0/12.0;
}

{primary:node0}[edit]
root@SRX1# show security zones security-zone vpn-aws    
host-inbound-traffic {
    system-services {
        ike;
        ping;
    }
}
interfaces {
    st0.2;
    st0.1;
    lo0.1;
}

root@SRX1# show routing-instances 
vr1 {
    instance-type virtual-router;
    interface lo0.1;
    interface st0.1;
    interface st0.2;
    routing-options {
        static {
            route 10.1.0.0/16 next-hop [ st0.1 st0.2 ];
        }
     }
}

I tried to move interface lo0.1 from security-zone vpn-aws to untrust to resolve the issue, but it's not possible:

[edit security zones security-zone untrust]
  'interfaces lo0.1'
    Interface lo0.1 must be in the same routing instance as other interfaces in the zone
error: configuration check-out failed

So I have no idea what to do. I can't have bofh interfaces in different security zones, but in the same time I can't have bofh interfaces in the same security zone because of using different routing instances.

It is an expected behavior. If the loopback interface was chosen as the external interface in the IKE gateway, the interface had to be in the same zone as the outgoing interface. Otherwise, packets were dropped because the packets could not be routed.

Why do you want lo0.1 as external interface? is its ip address configured as peer ip in AWS?
If yes, try "local-address <ip-address of lo0.1> " in ike configuration and configure external interface as ge-5/0/12

Thank you for your reply.

Yes, lo0.1 has the IP address used as a peer for AWS-VPN and it's used as external-interface in IKE configuration.

We have BGP multi-homing here, so  ge-5/0/12 or  ge-0/0/12 can be external interface depenending on bgp routing.

What should I do in that situation?

Can't you assign the IP to lo0.0 interface?

Hi Gabriel,

This KB addresses your issue - https://kb.juniper.net/InfoCenter/index?page=content&id=KB22129

Loopback and external interface need to be in same routing-instance and zone.

You can have everything in the default routing-instance inet.0. Is there any reason for using a seperate routing-instance?

Default route from ISPs should not conflict with the specfic route to the st0.0/st0.1

delete routing-instances vr1
set routing-options static route 10.1.0.0/16 next-hop st0.0
set routing-options static route 10.1.0.0/16 next-hop st0.1
delete security zone security-zone vpn-aws interfaces lo0.1
set security zone security-zone untrust interfaces lo0.1

Regards,

Nelumbo

Nelumbo,

In a chassis cluster deployment, it is possible to have only lo0.0 in single / main routing instance.

My lo0.0 was already taken, so lo0.1 had to be configured somewhere else.

Anyway, I freed lo0.0 and used it at the end, because I couldn't resolve the problem an a different way.