I've done a bit of research and I see conflicting answers and solutions to this activity, so I figured to ask again.
I'm looking for the correct formation when removing a full blown SRX VPN config. Some solutions advise to remove the config starting from Phase 1/2, Routes, Zones, and then Interfaces. Other solutions recommend the opposite, to remove the bindings, interfaces, zones, routes and then the Phase 1/2 configs.
Does anyone have the correct order without causing issues when commit checking?
My full config is sectionated and consists of:
Tunnel Interfaces (st0) Unit Inet Config
IKE & IPSEC Proposals/Policies/Gateways
Security Zones Defined
Routing Instances (VRF) - Static Routes
This can be thought in terms of dependencies of one configuration part on the other. In JunOS, you will not be able to remove a section that is referred in other parts of the configuration.
Let's take a look at the sections in your configuration and try to identify the reference points:-
1. Tunnel Interfaces (st0) Unit Inet Config
=> It does NOT refer to any other section. Therefore, deleting other sections have NO impact on this section. But it may have been referred in "security ipsec vpn ", routing-options and security zones.
2. a ) IKE (Proposals/Policies/Gateways )
=> IKE refers external-interface name in the gateway. Other than that, Gateway refers IKE policy and IKE policy refers Ike Proposals.
b ) IPSEC (Proposals/Policies/VPN)
=> IPSEC vpn hierarchy refers st0 interface and ike gateway. Policy/Proposal hierarchies are have same references as IKE.
3. Security Zones Defined
=> Security zones are generally referred in security policies and NAT rules.
4. Routing Instances (VRF) - Static Routes
=> Routing-Instances and their static routes refer interfaces (like st0.0 ) or next-hop. But they are not referred in any other configuration parts. Therefore deleting them should be one of the easiest thing but note that it will change the routing table on the device.
Based on the above understanding, I would consider the following : -
- Delete IKE/IPSEC as they are NOT referred anywhere else. If you are deleting one stanza at a time and committing, start in the following order: -
- Deleted Routing-instances/static route (referecing st0 interface).
- Delete the security zone alongwith any policies and NAT rules referring to this security zone.
- Delete the st0 interface. (Assuming all the VPNs referring to this one are deleted.)
Hopefully I have not missed any section which you wanted to delete.
That was a perfect breakdown and helped immensely, thank you.