SRX

Expand all | Collapse all

Adding a second local subnet to route based VPN

Jump to Best Answer
  • 1.  Adding a second local subnet to route based VPN

    Posted 09-25-2019 01:25

    Hello,

     

    I've been tasked with setting up an IPSec tunnel to our new cloud VM service from one of our remote sites where we have an older Juniper SRX firewall. This is really my first time ever configuring a Juniper firewall, so I'm a bit lost in the CLI and details of it all and figured I might find help here.

     

    Anyway, as I've tried to describe in the attached image, our remote site X needs a tunnel for our subnets to our cloud service Y. Specifically the subnets on logical interfaces A and C on X to D on Y.

     

    I have successfully set up a route based VPN on interface st0.1 that currently allows traffic between A and D, but I'm a bit stumped as to how I can get traffic between C and D as well. I had hoped it would be as simple as expanding the trust-to-VPN zone security policy address entries from A to [A C], but I guess something else is required?

     

    If it is relevant, c.c.c.c/c is already routed to a separate VPN to a third party site Z on interface st0.0, and both A and C are routed to a separate physical device that provides a tunnel to a fourth site ZZ. These configurations need to stay.

     

    A, B and C are all part of the trust zone, st0.0 and st0.1 each belong to separate VPN zones. There is a further smattering of interfaces and subnets, but I hope they shouldn't be relevant for this.

     

    Routing overviewRouting overview



  • 2.  RE: Adding a second local subnet to route based VPN
    Best Answer

    Posted 09-25-2019 01:38
    HI,

    If you are using the 12.3 code of SRX then you could use the below link to add the second lan subnet.
    It's called traffic selector however if you are running even older codes then you need to configure another IPsec VPN and bind another st0 interface to the VPN with all the phase1 and phase 2 parameters same.

    For traffic selector:
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28820&actp=METADATA

    For older codes
    You need to configure proxy-identities in 2 separate ipsec vpns.

    Example :
    vpn ike-vpn-srx1_a {
    bind-interface st0.1;
    ike {
    gateway gw-srx1;
    proxy-identity {
    local 10.10.10.0/24;
    remote 192.168.1.0/24;
    }
    ipsec-policy ipsec_pol;



    vpn ike-vpn-srx1_b {
    bind-interface st0.2;
    ike {
    gateway gw-srx1;
    proxy-identity {
    local 10.10.20.0/24;
    remote 192.168.1.0/24;
    }
    ipsec-policy ipsec_pol;


    Rest all the configuration for the phase 2 and phase 1 will remain the same. Need to have the second st0 in the same zone as the first st0. In the above case st0.1 and st0.2.


    Hope this helps.



    Thanks and Regards,
    Guru Prasad
    J/SRX Advance Tac
    Working hours: Monday to Friday (10:30 AM +05:30 to 18:30 PM +05:30)



    Juniper Business Use Only


  • 3.  RE: Adding a second local subnet to route based VPN

    Posted 09-25-2019 03:28

    Thank you, that helped a lot.

     

    We are using an older version, but the second method did establish a working phase-2 SA.

     

    However, while there is traffic, it does not seem to be passed on to the specified subnet. I.e, if I attempt to ping a device on the local subnet from a device in the cloud, I can see the "Decrypted packets" counter ticking up in the statistics for the SA, but I receive no reply.

     

    I tried setting up separate security policies for traffic between the zones instead of expanding the existing ones, but that unfortunately didn't help.

     

    Any suggestions?



  • 4.  RE: Adding a second local subnet to route based VPN

    Posted 09-26-2019 10:13

    This will need the use of security flow traceoptions to get more details on this one way communications. 


    @Axel_W wrote:

    Thank you, that helped a lot.

     

    We are using an older version, but the second method did establish a working phase-2 SA.

     

    However, while there is traffic, it does not seem to be passed on to the specified subnet. I.e, if I attempt to ping a device on the local subnet from a device in the cloud, I can see the "Decrypted packets" counter ticking up in the statistics for the SA, but I receive no reply.

     

    I tried setting up separate security policies for traffic between the zones instead of expanding the existing ones, but that unfortunately didn't help.

     

    Any suggestions?


     



  • 5.  RE: Adding a second local subnet to route based VPN

    Posted 09-26-2019 14:29

    We ended up switching to a policy based vpn, and got that working for both subnets.

     

    Thanks for the help.