Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  VPN Tunnel Routing Issue

    Posted 09-16-2014 06:49

    Good morning,

    Let me apologize in advance, I am still very much in the learning process of troubleshooting Juniper OS issues.

     

    I am having an issue at several of our remote locations.  When I try to ping back to our corporate subnet, I can only ping the gateway, nothing inside the subnet works correctly.

     

    I have tracert from the local workstations back, and the gateway returns in just two hops, the local gateway and the corporate gateway.  Example - tracert 192.168.1.1 -> 192.168.6.1 works correctly.  Tracert 192.168.1.68 -> out to the public network and not through the tunnel.1 as I defined in the route.

     

    Here is the configuration on the remote office for routes:

    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 192.168.1.0/24 interface tunnel.1 preference 20
    set route 192.168.26.0/24 interface tunnel.1 preference 20
    set route 0.0.0.0/0 gateway 216.23.38.249
    exit


    I have tried to standardize the configuration based off a known working one, but that does not seem to have helped.

     

    Any ideas or posts someone could point me to?  I have not had much luck just googling for the past 4 days.


    Thanks in advance,

     

    Edited *It does not appear that the route is being broadcast to any NICs in the local subnet, even though I have included it in the routes listed above.


    #Route
    #SSG5
    #Juniper
    #subnet
    #vpn


  • 2.  RE: VPN Tunnel Routing Issue

     
    Posted 09-16-2014 14:49

    Check the routing table on the device to see all the routes installed.

     

    cli

    get route

     

    web

    Network > routing > destination

     

    the * means the route is active and no * means inactive.



  • 3.  RE: VPN Tunnel Routing Issue

    Posted 09-17-2014 09:11

    Here is the homework I have.  I blanked out my public IP address (just to be on the safe side) and this is what I show on both Juniper and Local workstation.  Am I wrong to think the Juniper should be broadcasting routes?

     

    Edit: Are there supposed to be two routes for tunnel.1?  That seems odd as well.

     

    Juniper Routes:
    IPv4 Dest-Routes for <trust-vr> (8 entries)
    ------------------------------------------------------------------------------
    ------
    ID IP-Prefix Interface Gateway P Pref Mtr
    Vsys
    ------------------------------------------------------------------------------
    ------
    * 8 0.0.0.0/0 eth0/0 xxx.xxx.xxx.152 S 20 1
    Root
    * 6 10.8.8.2/32 tun.1 0.0.0.0 H 0 0
    Root
    * 5 10.8.8.0/30 tun.1 0.0.0.0 C 0 0
    Root
    * 1 xxx.xxx.xxx.152/30 eth0/0 0.0.0.0 C 0 0
    Root
    * 2 xxx.xxx.xxx.154/32 eth0/0 0.0.0.0 H 0 0
    Root
    * 4 192.168.28.1/32 bgroup0 0.0.0.0 H 0 0
    Root
    * 3 192.168.28.0/24 bgroup0 0.0.0.0 C 0 0
    Root
    * 9 192.168.1.0/24 tun.1 0.0.0.0 S 20 1
    Root


    Local Workstation Routers:
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    192.168.28.0 255.255.255.0 On-link 192.168.28.35 276
    192.168.28.35 255.255.255.255 On-link 192.168.28.35 276
    192.168.28.255 255.255.255.255 On-link 192.168.28.35 276
    ===========================================================================
    Persistent Routes:
    None



  • 4.  RE: VPN Tunnel Routing Issue
    Best Answer

     
    Posted 09-18-2014 03:06

    Are there supposed to be two routes for tunnel.1?

     

    These routes are automatically installed by virtue of the interface creation.  They are the routes that are implied by the interface ip address.

    * 6 10.8.8.2/32 tun.1 0.0.0.0 H 0 0
    Root
    * 5 10.8.8.0/30 tun.1 0.0.0.0 C 0 0
    Root

     

    Am I wrong to think the Juniper should be broadcasting routes?

     

    This is not correct.  A routing table is a local routers only.  You can use protocols like BGP or OSPF to share routing information between routers, but these would never apply to workstations.

     

    Based on your workstation routing table it looks like you have another router in this same subnet as bgroup0 on the firewall. 

     

    SSG - 192.168.28.1

    router: 192.168.28.35

     

    You don't include your workstation default route so I assume this goes to the 35 host and that is why tunnel remote side addresses are not reaching the SSG from the workstation.

     

    You would need to install 192.18.1.0/24 next hop 192.168.28.1 on the workstation routing table.



  • 5.  RE: VPN Tunnel Routing Issue

    Posted 09-18-2014 05:46

    I stumbled across this last night on the SSG140 that everyone connects back to.

     

    10.1.1.4/30 tun.1 0.0.0.0 C 0 0
    10.1.1.5/32 tun.1 0.0.0.0 H 0 0
    192.168.2.0/24 tun.1 0.0.0.0 S 20 1

     

    I noticed that in all of the sites that I am having problems in, it was missing the third route for the local subnet.

     

    I went back and added those using the CLI "set route 192.168.xxx.0/24 interface tun.X" and that seemed to correct most of the connectivity.  Of course, since over time different people have configured things, I am seeing inconsistencies. 

     

    Most of the tunnels show 0.0.0.0 for the gateway on this route.  But I have a few that are configured like this:

    10.1.1.56/30 tun.14 0.0.0.0 C 0 0
    10.1.1.57/32 tun.14 0.0.0.0 H 0 0
    192.168.15.0/24 tun.14 10.1.1.58 S 20 1

     

    I am not sure which is the correct method to try and standardize our tunnels, I really do not want to go through this process again.  Ever.  😃

     

    Thank you for your posts and information, if you have a moment and can weigh in on these last questions....

     

    1. Which method is correct for the Gateway as shown above?

    2. Another inconsistency I saw was that the local subnet was on the SSG140, but in it's own tunnel seperate from the pair, is that because they are un-numbered interfaces?

    3. Why can't people build things with consistency!?!?!  😃



  • 6.  RE: VPN Tunnel Routing Issue

     
    Posted 09-19-2014 18:51

    1. Which method is correct for the Gateway as shown above?

    Both methods will work if the tunnel interface only connects point to point.  If your tunnel interface is point to multi point then you do require the ip address.

     

     

    2. Another inconsistency I saw was that the local subnet was on the SSG140, but in it's own tunnel seperate from the pair, is that because they are un-numbered interfaces?

    I'm not sure what you mean by this.

     

     

    3. Why can't people build things with consistency!?!?!  😃

     

    It makes life interesting and full of surprises.