SRX

Expand all | Collapse all

multiple GRE tunnels?

  • 1.  multiple GRE tunnels?

    Posted 05-11-2021 20:26
    I'm trying to connect two offices, one local, one remote, over a GRE tunnel (or two if needed) and SRX-220's on both ends.

    I want one subnet on local office zone trust 10.1.10.0/24 can see remote trust zone 10.1.100.0/24 over a tunnel.

    I want a second subnet on local office 200traffic 100.64.200.0/24 to see remote trust zone 201traffic 100.64.201.0/24 over a tunnel.

    I have configured both SRX-220's, but I'm not sure whether I need one GR tunnel or two. I'm trying to adapt this example https://kb.juniper.net/InfoCenter/index?page=content&id=KB19371

    Here's my configuration on local office:

    set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24
    set interfaces ge-0/0/1 unit 0 family inet address 10.1.10.31/24
    set interfaces gr-0/0/1 unit 0 tunnel source 1.2.3.4
    set interfaces gr-0/0/1 unit 0 tunnel destination 5.6.7.8
    set interfaces gr-0/0/1 unit 0 family inet address 192.168.1.1/29
    set interfaces ge-0/0/2 description vlan200traffic
    set interfaces ge-0/0/2 unit 0 family inet address 100.64.200.2/24
    set interfaces gr-0/0/2 unit 0 tunnel source 1.2.3.4
    set interfaces gr-0/0/2 unit 0 tunnel destination 5.6.7.8
    set interfaces gr-0/0/2 unit 0 family inet address 192.168.1.2/32
    set routing-options static route 10.1.100.0/24 next-hop 192.168.1.2
    set routing-options static route 0.0.0.0/0 next-hop 1.2.3.1
    set routing-options static route 100.64.201.0/24 next-hop 192.168.1.4
    set security nat source rule-set mgmt-to-untrust from zone mgmt
    set security nat source rule-set mgmt-to-untrust to zone untrust
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match source-address 0.0.0.0/0
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust then source-nat interface
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match source-address any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match destination-address any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match application any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust then permit
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match source-address any
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match destination-address any
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match application any
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic then permit
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match source-address any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match destination-address any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match application any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt then permit
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match source-address any
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match destination-address any
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match application any
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust then permit
    set security zones security-zone mgmt host-inbound-traffic system-services all
    set security zones security-zone mgmt interfaces ge-0/0/1.0
    set security zones security-zone mgmt interfaces gr-0/0/1.0
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone 200traffic host-inbound-traffic system-services all
    set security zones security-zone 200traffic interfaces ge-0/0/2.0
    set security zones security-zone 200traffic interfaces gr-0/0/2.0​


    And my remote office:

    set interfaces ge-0/0/0 unit 0 family inet address 5.6.7.8/29
    set interfaces ge-0/0/1 unit 0 family inet address 10.1.100.41/24
    set interfaces gr-0/0/1 unit 0 tunnel source 5.6.7.8
    set interfaces gr-0/0/1 unit 0 tunnel destination 1.2.3.4
    set interfaces gr-0/0/1 unit 0 family inet address 192.168.1.3/29
    set interfaces ge-0/0/2 unit 0 family inet address 100.64.201.5/24
    set interfaces gr-0/0/2 unit 0 tunnel source 5.6.7.8
    set interfaces gr-0/0/2 unit 0 tunnel destination 1.2.3.4
    set interfaces gr-0/0/2 unit 0 family inet address 192.168.1.4/29
    set routing-options static route 10.1.10.0/24 next-hop 192.168.1.1
    set routing-options static route 100.64.200.0/24 next-hop 192.168.1.1
    set routing-options static route 0.0.0.0/0 next-hop 5.6.7.4
    set security nat source rule-set mgmt-to-untrust from zone mgmt
    set security nat source rule-set mgmt-to-untrust to zone untrust
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match source-address 0.0.0.0/0
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust then source-nat interface
    set security nat source rule-set 201traffic-to-untrust from zone 201traffic
    set security nat source rule-set 201traffic-to-untrust to zone untrust
    set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust match source-address 0.0.0.0/0
    set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust then source-nat interface
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match source-address any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match destination-address any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match application any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt then permit
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match source-address any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match destination-address any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match application any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust then permit
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match source-address any
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match destination-address any
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match application any
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust then permit
    set security zones security-zone mgmt host-inbound-traffic system-services ping
    set security zones security-zone mgmt host-inbound-traffic system-services ssh
    set security zones security-zone mgmt host-inbound-traffic system-services http
    set security zones security-zone mgmt host-inbound-traffic system-services https
    set security zones security-zone mgmt interfaces ge-0/0/1.0
    set security zones security-zone mgmt interfaces gr-0/0/1.0
    set security zones security-zone 201traffic host-inbound-traffic system-services ping
    set security zones security-zone 201traffic interfaces ge-0/0/2.0
    set security zones security-zone 201traffic interfaces gr-0/0/2.0
    set security zones security-zone untrust host-inbound-traffic system-services all
    set security zones security-zone untrust host-inbound-traffic protocols all
    set security zones security-zone untrust interfaces ge-0/0/0.0


    What am I missing? When I try to show gr interfaces I get only a gr-0/0/0 (but I configured gr-0/0/1 and gr-0/0/2) which shows:

    root@remote1> show interfaces gr-0/0/0 terse 
    Interface               Admin Link Proto    Local                 Remote
    gr-0/0/0                up    up 
    
    root@remote1> show interfaces gr-0/0/0   
    Physical interface: gr-0/0/0, Enabled, Physical link is Up
      Interface index: 143, SNMP ifIndex: 522
      Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
      Link flags     : Scheduler Keepalives DTE
      Device flags   : Present Running
      Interface flags: Point-To-Point
      Input rate     : 0 bps (0 pps)
      Output rate    : 0 bps (0 pps)

    The local router shows similar



  • 2.  RE: multiple GRE tunnels?

     
    Posted 05-12-2021 05:36
    You will only need one gre tunnel for you application.  Once the tunnel is in place you set the routing into the tunnel into each side per the kb and all will be good.

    My recollection is that for multiple tunnels to work you will need to assign different ip addresses for the source and destination endpoints.  This allows the tunnels to come up and be separate.

    But for this application that would not be needed.  I've only seen that approach done where one side has virtual router separation needs.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: multiple GRE tunnels?

    Posted 05-13-2021 13:01
    I changed my configuration to:

    local:

    set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24
    set interfaces gr-0/0/0 unit 0 tunnel source 1.2.3.4
    set interfaces gr-0/0/0 unit 0 tunnel destination 5.6.7.8
    set interfaces gr-0/0/0 unit 0 family inet address 192.168.1.1/29
    set interfaces ge-0/0/1 unit 0 family inet address 10.1.10.31/24
    set interfaces ge-0/0/2 description vlan200traffic
    set interfaces ge-0/0/2 unit 0 family inet address 100.64.200.2/24
    set routing-options static route 10.1.100.0/24 next-hop 192.168.1.2
    set routing-options static route 0.0.0.0/0 next-hop 1.2.3.1
    set routing-options static route 100.64.201.0/24 next-hop 192.168.1.4
    set security nat source rule-set mgmt-to-untrust from zone mgmt
    set security nat source rule-set mgmt-to-untrust to zone untrust
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match source-address 0.0.0.0/0
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set mgmt-to-untrust rule mgmt-untrust then source-nat interface
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match source-address any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match destination-address any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match application any
    set security policies from-zone mgmt to-zone untrust policy mgmt-untrust then permit
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match source-address any
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match destination-address any
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match application any
    set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic then permit
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match source-address any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match destination-address any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match application any
    set security policies from-zone untrust to-zone mgmt policy untrust-mgmt then permit
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match source-address any
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match destination-address any
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match application any
    set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust then permit
    set security zones security-zone mgmt host-inbound-traffic system-services all
    set security zones security-zone mgmt interfaces ge-0/0/1.0
    set security zones security-zone mgmt interfaces gr-0/0/0.0
    set security zones security-zone untrust host-inbound-traffic system-services ping
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone 200traffic host-inbound-traffic system-services all
    set security zones security-zone 200traffic interfaces ge-0/0/2.0​


    and on the remote end:

    set interfaces ge-0/0/0 unit 0 family inet address 5.6.7.8/29
    set interfaces gr-0/0/0 unit 0 tunnel source 5.6.7.8
    set interfaces gr-0/0/0 unit 0 tunnel destination 1.2.3.4
    set interfaces gr-0/0/0 unit 0 family inet address 192.168.1.2/29
    set interfaces ge-0/0/1 unit 0 family inet address 10.1.100.41/24
    set interfaces ge-0/0/2 unit 0 family inet address 100.64.201.5/24
    set routing-options static route 10.1.10.0/24 next-hop 192.168.1.1
    set routing-options static route 100.64.200.0/24 next-hop 192.168.1.1
    set routing-options static route 0.0.0.0/0 next-hop 5.6.7.5
    set security nat source rule-set 201traffic-to-untrust from zone 201traffic
    set security nat source rule-set 201traffic-to-untrust to zone untrust
    set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust match source-address 0.0.0.0/0
    set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust match destination-address 0.0.0.0/0
    set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust then source-nat interface
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match source-address any
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match destination-address any
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match application any
    set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust then permit
    set security policies from-zone untrust to-zone trust policy untrust-trust match source-address any
    set security policies from-zone untrust to-zone trust policy untrust-trust match destination-address any
    set security policies from-zone untrust to-zone trust policy untrust-trust match application any
    set security policies from-zone untrust to-zone trust policy untrust-trust then permit
    set security policies from-zone trust to-zone untrust policy trust-untrust match source-address any
    set security policies from-zone trust to-zone untrust policy trust-untrust match destination-address any
    set security policies from-zone trust to-zone untrust policy trust-untrust match application any
    set security policies from-zone trust to-zone untrust policy trust-untrust then permit
    set security zones security-zone 201traffic host-inbound-traffic system-services ping
    set security zones security-zone 201traffic interfaces ge-0/0/2.0
    set security zones security-zone untrust host-inbound-traffic system-services all
    set security zones security-zone untrust host-inbound-traffic protocols all
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/1.0
    set security zones security-zone trust interfaces gr-0/0/0.0


    But I still don't see the int coming up:

    root@remote1> show interfaces gre terse 
    Interface               Admin Link Proto    Local                 Remote
    gre                     up    up  
    
    root@remote1> show interfaces gr-0/0/0     
    Physical interface: gr-0/0/0, Enabled, Physical link is Up
      Interface index: 143, SNMP ifIndex: 522
      Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
      Link flags     : Scheduler Keepalives DTE
      Device flags   : Present Running
      Interface flags: Point-To-Point
      Input rate     : 0 bps (0 pps)
      Output rate    : 0 bps (0 pps)
    
      Logical interface gr-0/0/0.0 (Index 69) (SNMP ifIndex 532) 
        Flags: Point-To-Point SNMP-Traps 0x0
        IP-Header 1.2.3.4:5.6.7.8:47:df:64:0000000000000000
        Encapsulation: GRE-NULL
        Copy-tos-to-outer-ip-header: Off
        Gre keepalives configured: Off, Gre keepalives adjacency state: down
        Input packets : 25 
        Output packets: 17
        Security: Zone: mgmt
        Allowed host-inbound traffic : http https ping ssh
        Protocol inet, MTU: 1476
          Flags: Sendbcast-pkt-to-re
          Addresses, Flags: Is-Preferred Is-Primary
            Destination: 192.168.1.0/29, Local: 192.168.1.2, Broadcast: 192.168.1.7