SRX

Hi,

Got a site to site VPN (route based) running between 2 x 4100 SRX.

My issue is relying on static routes to connect the site. Effectively we’re linking network A and B together; but there is a backup route in both networks to get to each other should this vpn drop. So using static routes to guide traffic down the VPN is turning out to be a pain.

How can I add OSPF into these tunnels, so when they establish it advertises the other sites addresses in OSPF ... and if the vpn fails it doesn’t form OSPF adjacency and drops the routes? This would then allow our backup route to kick in ...

Thanks

Hi Oban3jimmy,

 

Please try this:

 

protocols {
    ospf {
        enable;
        area 0.0.0.0 {
            interface st0.0 {
                metric 10;
                priority 1;
                retransmit-interval 5;
                transit-delay 1;
                hello-interval 10;
                flood-reduction;
                poll-interval 5;
            }
        }
    }
}

Please find a couple of useful links related to the same:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19472&actp=RSS
https://kb.juniper.net/InfoCenter/index?page=content&id=KB22392&cat=J_SERIES&actp=LIST

 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Please follow these steps:

> Allow ospf in host-inbound-taffic on st0 security zone
> Enable OSPF on st0 interface
> Advertise local networks A & B via OSPF
> Increase the preference (AD) of backup static route higher than ospf route preference (AD)

 

Thanks ... still not putting ST0.0 into OSPF.

Maybe easier if I tell you the setup:

Site A:
interface xe0/0/1.0 - 10.1.1.1/30
st0.0 - 1.1.1.1

Sites linked together via a layer 2 connection.

Site B:
interface xe0/0/1.0 - 10.1.1.2/30
st0.0 - 2.2.2.2

Both interfaces in a new zone with OSPF and IKE enabled. Do these need to be completely separate zones? So your physical interface in one zone and st0.0 interface in another?

Does the layer 2 connection complicate things? Is this causing the interface to take priority every time over the ST0.0 interface?

I have taken the physical interface out of OSPF and the sites stop talking ...

Thanks

Maybe there’s a simpler way to encrypt everything between those interfaces? That’s all I’m trying to achieve in reality ... it’s a simple layer 2 connection and I’m trying to make sure all traffic that passes it is encrypted ...

thanks for the details on the vpn.  The layer 2 interfaces don't complicate things but you do need to think about them differently.  Forget they are layer 2 connected and treat them as if they are each connected to an ISP and not part of your internal network.

 

---Gateway Interfaces

• So the xe-0/0/1.0 interfaces are untrusted ISP links
• configured as the vpn gateway interfaces
• Do NOT add them to OSPF at all

 

---Tunnel interfaces

• st0.0 interfaces should be assigned to the same subnet link as if they are layer 2 adjacent because once the vpn establishes they are. 
• Assign an rfc1918 /30 for use by these links.
• Put the st0.0 intefaces into ospf as point to point interfaces
• they will form neighbors and exchange routes

 

---LAN subnets

• For the LAN segments on both sides you will need to add these to OSPF
• Add each LAN gateway interface as a passive interface into OSPF
• This will allow that subnet to be advertised to the other site via OSPF

---Secondary connection

• add the secondary connection interfaces on each side also into OSPF as point to point interfaces
• assign an OSPF metric 200 to the backup link on both sides.  This will make the link less preferred and only kick in when the primary neighbor is lost.

 

 

Thanks so much

That worked perfectly 🙂