Expand all | Collapse all

Order - Removing SRX Route Based VPN Config

Jump to Best Answer
  • 1.  Order - Removing SRX Route Based VPN Config

    Posted 05-14-2019 08:27

    Hello all,


    I've done a bit of research and I see conflicting answers and solutions to this activity, so I figured to ask again.


    I'm looking for the correct formation when removing a full blown SRX VPN config.  Some solutions advise to remove the config starting from Phase 1/2, Routes, Zones, and then Interfaces.  Other solutions recommend the opposite, to remove the bindings, interfaces, zones, routes and then the Phase 1/2 configs.


    Does anyone have the correct order without causing issues when commit checking?


    My full config is sectionated and consists of:

    Tunnel Interfaces (st0) Unit Inet Config

    IKE & IPSEC Proposals/Policies/Gateways

    Security Zones Defined

    Routing Instances (VRF) - Static Routes





  • 2.  RE: Order - Removing SRX Route Based VPN Config
    Best Answer

    Posted 05-14-2019 09:13

    Hello J,


    This can be thought in terms of dependencies of one configuration part on the other. In JunOS, you will not be able to remove a section that is referred in other parts of the configuration.


    Let's take a look at the sections in your configuration and try to identify the reference points:- 


    1. Tunnel Interfaces (st0) Unit Inet Config 

    =>  It does NOT refer to any other section. Therefore, deleting other sections have NO impact on this section. But it may have been referred in "security ipsec vpn ", routing-options and security zones.  


    2.  a ) IKE (Proposals/Policies/Gateways )

    => IKE refers external-interface name in the gateway. Other than that, Gateway refers IKE policy and IKE policy refers Ike Proposals.

     b ) IPSEC (Proposals/Policies/VPN) 

    => IPSEC vpn hierarchy refers st0 interface and ike gateway.  Policy/Proposal hierarchies are have same references as IKE.


    3. Security Zones Defined

    => Security zones are generally referred in security policies and NAT rules.


    4. Routing Instances (VRF) - Static Routes 


    => Routing-Instances  and their static routes refer interfaces (like st0.0 ) or next-hop. But they are not referred in any other configuration parts. Therefore deleting them should be one of the easiest thing but note that it will change the routing table on the device.



    Based on the above understanding, I would consider the following : -


    - Delete IKE/IPSEC as they are NOT referred anywhere else. If you are deleting one stanza at a time and committing, start in the following order: -

    •   Delete IPSEC VPN first.
    •   Delete IKE gateway second.
    •   You can delete rest of the IKE/IPSEC at your will as without the VPN/Gateway combination, the VPN is already down.

    - Deleted Routing-instances/static route (referecing st0 interface).

    - Delete the security zone alongwith any policies and NAT rules referring to this security zone.

    - Delete the st0 interface. (Assuming all the VPNs referring to this one are deleted.)



    Hopefully I have not missed any section which you wanted to delete.




  • 3.  RE: Order - Removing SRX Route Based VPN Config

    Posted 05-14-2019 12:25

    That was a perfect breakdown and helped immensely, thank you.