I'm trying to connect two offices, one local, one remote, over a GRE tunnel (or two if needed) and SRX-220's on both ends.
I want one subnet on local office zone trust 10.1.10.0/24 can see remote trust zone 10.1.100.0/24 over a tunnel.
I want a second subnet on local office 200traffic 100.64.200.0/24 to see remote trust zone 201traffic 100.64.201.0/24 over a tunnel.
I have configured both SRX-220's, but I'm not sure whether I need one GR tunnel or two. I'm trying to adapt this example
https://kb.juniper.net/InfoCenter/index?page=content&id=KB19371Here's my configuration on local office:
set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.4/24
set interfaces ge-0/0/1 unit 0 family inet address 10.1.10.31/24
set interfaces gr-0/0/1 unit 0 tunnel source 1.2.3.4
set interfaces gr-0/0/1 unit 0 tunnel destination 5.6.7.8
set interfaces gr-0/0/1 unit 0 family inet address 192.168.1.1/29
set interfaces ge-0/0/2 description vlan200traffic
set interfaces ge-0/0/2 unit 0 family inet address 100.64.200.2/24
set interfaces gr-0/0/2 unit 0 tunnel source 1.2.3.4
set interfaces gr-0/0/2 unit 0 tunnel destination 5.6.7.8
set interfaces gr-0/0/2 unit 0 family inet address 192.168.1.2/32
set routing-options static route 10.1.100.0/24 next-hop 192.168.1.2
set routing-options static route 0.0.0.0/0 next-hop 1.2.3.1
set routing-options static route 100.64.201.0/24 next-hop 192.168.1.4
set security nat source rule-set mgmt-to-untrust from zone mgmt
set security nat source rule-set mgmt-to-untrust to zone untrust
set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match source-address 0.0.0.0/0
set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match destination-address 0.0.0.0/0
set security nat source rule-set mgmt-to-untrust rule mgmt-untrust then source-nat interface
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match source-address any
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match destination-address any
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match application any
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust then permit
set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match source-address any
set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match destination-address any
set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic match application any
set security policies from-zone untrust to-zone 200traffic policy untrust-200traffic then permit
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match source-address any
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match destination-address any
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match application any
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt then permit
set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match source-address any
set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match destination-address any
set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust match application any
set security policies from-zone 200traffic to-zone untrust policy 200traffic-untrust then permit
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt interfaces ge-0/0/1.0
set security zones security-zone mgmt interfaces gr-0/0/1.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone 200traffic host-inbound-traffic system-services all
set security zones security-zone 200traffic interfaces ge-0/0/2.0
set security zones security-zone 200traffic interfaces gr-0/0/2.0
And my remote office:
set interfaces ge-0/0/0 unit 0 family inet address 5.6.7.8/29
set interfaces ge-0/0/1 unit 0 family inet address 10.1.100.41/24
set interfaces gr-0/0/1 unit 0 tunnel source 5.6.7.8
set interfaces gr-0/0/1 unit 0 tunnel destination 1.2.3.4
set interfaces gr-0/0/1 unit 0 family inet address 192.168.1.3/29
set interfaces ge-0/0/2 unit 0 family inet address 100.64.201.5/24
set interfaces gr-0/0/2 unit 0 tunnel source 5.6.7.8
set interfaces gr-0/0/2 unit 0 tunnel destination 1.2.3.4
set interfaces gr-0/0/2 unit 0 family inet address 192.168.1.4/29
set routing-options static route 10.1.10.0/24 next-hop 192.168.1.1
set routing-options static route 100.64.200.0/24 next-hop 192.168.1.1
set routing-options static route 0.0.0.0/0 next-hop 5.6.7.4
set security nat source rule-set mgmt-to-untrust from zone mgmt
set security nat source rule-set mgmt-to-untrust to zone untrust
set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match source-address 0.0.0.0/0
set security nat source rule-set mgmt-to-untrust rule mgmt-untrust match destination-address 0.0.0.0/0
set security nat source rule-set mgmt-to-untrust rule mgmt-untrust then source-nat interface
set security nat source rule-set 201traffic-to-untrust from zone 201traffic
set security nat source rule-set 201traffic-to-untrust to zone untrust
set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust match source-address 0.0.0.0/0
set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust match destination-address 0.0.0.0/0
set security nat source rule-set 201traffic-to-untrust rule 201traffic-untrust then source-nat interface
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match source-address any
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match destination-address any
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt match application any
set security policies from-zone untrust to-zone mgmt policy untrust-mgmt then permit
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match source-address any
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match destination-address any
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust match application any
set security policies from-zone mgmt to-zone untrust policy mgmt-untrust then permit
set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match source-address any
set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match destination-address any
set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust match application any
set security policies from-zone 201traffic to-zone untrust policy 201traffic-untrust then permit
set security zones security-zone mgmt host-inbound-traffic system-services ping
set security zones security-zone mgmt host-inbound-traffic system-services ssh
set security zones security-zone mgmt host-inbound-traffic system-services http
set security zones security-zone mgmt host-inbound-traffic system-services https
set security zones security-zone mgmt interfaces ge-0/0/1.0
set security zones security-zone mgmt interfaces gr-0/0/1.0
set security zones security-zone 201traffic host-inbound-traffic system-services ping
set security zones security-zone 201traffic interfaces ge-0/0/2.0
set security zones security-zone 201traffic interfaces gr-0/0/2.0
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces ge-0/0/0.0
What am I missing? When I try to show gr interfaces I get only a gr-0/0/0 (but I configured gr-0/0/1 and gr-0/0/2) which shows:
root@remote1> show interfaces gr-0/0/0 terse
Interface Admin Link Proto Local Remote
gr-0/0/0 up up
root@remote1> show interfaces gr-0/0/0
Physical interface: gr-0/0/0, Enabled, Physical link is Up
Interface index: 143, SNMP ifIndex: 522
Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
Link flags : Scheduler Keepalives DTE
Device flags : Present Running
Interface flags: Point-To-Point
Input rate : 0 bps (0 pps)
Output rate : 0 bps (0 pps)
The local router shows similar