SRX

Expand all | Collapse all

RRI, reverse route insertion, ARI

Jump to Best Answer
  • 1.  RRI, reverse route insertion, ARI

    Posted 10-09-2018 22:30
    I have questions about ARI/RRI . First, does the SRX series utilize RRI as ARI ? It's my understanding that ARI is normal traffic flow.
    Another question, RRI contains an exception,
    so does this have anything to do with the default route as well? I.e. source and destination rules?

    The exception is this...

    No routes are added if the accepted remote proxy address is the default (0.0.0.0/0). In this case, you can run routing protocols over the tunnel to learn routes and add static routes for the traffic you want to be protected over this tunnel.

    The only place I've specified 0::0/0 and 0.0.0.0/0 is in the nat source rules. Not the remote proxy addressing.

    Can I take advantage of RRI ?

    I have a couple of ASUS AP's that can't seem to do without tunneling. I disabled teredo junk in windows but may reenable it.

    All comments and replies are greatly appreciated.


  • 2.  RE: RRI, reverse route insertion, ARI

    Posted 10-10-2018 01:08

    Hello,

    Juniper SRX supports ARI with traffic selectors, if that's Your question

    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ipsec-vpn-auto-route-insertion-understanding.html

    HTH

    Thx

    Alex



  • 3.  RE: RRI, reverse route insertion, ARI
    Best Answer

    Posted 10-10-2018 07:47

    Hi Eugene,

     

    ARI (Auto Route Insertion) in Juniper is the same as Reverse Route Injection (RRI) in Cisco:

     

     

     

    In Juniper, ARI will populate your routing-table with static routes in order to reach remote subnets over the tunnel. This remote subnets will be taken from the "remote-ip" configured under the "traffic-selectors" configuration stanza for a specific VPN tunnel. This remote subnets also represent the remote proxy-ids of that tunnel. The following document will better explain traffic-selectors in VPN:

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html

     

    As of now I havent seen a trafrfic-selector using 0/0 prefix, however the documentation states that this will be no longer supported (at least for "remote-ip" which ends up installing a 0/0 route via the VPN in the SRX's routing-table):

     

    A remote address of 0.0.0.0/0 (IPv4) or 0::0 (IPv6) for site-to-site VPNs

    Starting with Junos OS Release 15.1X49-D140, on all SRX Series devices and vSRX instances, when you configure the traffic-selector with a remote address of 0::0 (IPv6), the following “error: configuration check-out failed” message is displayed when performing the commit and the configuration checkout fails.

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-traffic-selectors-in-route-based-vpns.html

     

    If you are using a route-based VPN on the SRX side, then yes you could configure dynamic-routing protocols over the VPN and learn/share routes with the remote peers.

     

    Now, I am unsure about what you are looking for on this part:

     

    "Can I take advantage of RRI ?

    I have a couple of ASUS AP's that can't seem to do without tunneling. I disabled teredo junk in windows but may reenable it."

     

    Are you trying to setup dynamic VPNs tunnels against the SRX from those Asus Access Points? what does teredo has to do with the SRX? is it being ran on the Access Points?

     

     



  • 4.  RE: RRI, reverse route insertion, ARI

    Posted 10-10-2018 15:00
    I have elected to turn off any tunneling in my network at present. My locale houses electricity that seems not always fit for certain functions of a gateway. I.e. single phase electricity and oddly configured ground switching stations. VPN seems a bit anomolous here. I did not try using RRI, and that may have straightened out the ASUS wireless AP's on the SRX. I turned off all tunneling on the AP's. My network now runs very well.

    My conclusion is that if you want to use VPN you might want to get a separate SRX for the task. I haven't enabled ipsec, l2tp or pptp on the SRX for it but my resources are all used up anyway.

    My take is that VPN on a small network, using the three protocols is too resource consuming. A large scale network is where these tools would be more useful.

    Further comments and objective points are welcome.

    eugene73,
    B S.C.M. Engineering Graduate.
    Construction, ITT Tech Alumni
    A.A.S. Drafting, Design, ITT Tech.