Routing

Hi,

I'm looking at configuring a few SRX's with IPSec tunnels, and want to configure the hub SRX with multipoint tunnels.
I will be running OSPF over these tunnels.

I've looked at the Junos docs on how to configure the tunnels, but there's not much on how OSPF will work with it.
I imagine that I should be configuring the st0 interface as point-to-multipoint in OSPF for it to work correctly.
I suspect it will work without changing the type, but I'm worried I will run into problems in the future.

Does anyone know what the best practices with this are? Can anyone share some experience in this area?


thanks

The OSPF part is not complicated:

- Make sure the mapping between remote address and vpn name are correct!!!!  You should be able to ping the other ends of the tunnel. Are the routers on the other end Juniper?  If they are then NHTB takes care of the mappings. If not, you only need to configure the mappings manually like this:

set  interfaces st0  unit 0 multipoint
set  interfaces st0  unit 0 family inet next-hop-tunnel 10.10.1.2 ipsec-vpn VPN_SITE2
set  interfaces st0  unit 0 family inet next-hop-tunnel 10.10.1.3 ipsec-vpn VPN_SITE3
set  interfaces st0  unit 0 family inet address 10.10.1.1/24

- OSPF interface should automatically be point-to-multipoint with no issues
   (one time I had to configure it manually just to make the adjacency come up - probably old version of Junos)

- Make sure the st interface is an security zone and host-inbound-traffic allows ospf
For the VPNs:
- Make sure you do route based VPNs. 
- PHASE 1 you need 1) proposal 2) policy 3) gateway
- PHASE 2 you need 1) proposal 2) policy 3) VPN
   proposal and policies can be the same. You need one VPN and gateway per remote site.
   instead of your own proposal you can reference one the prebuilt proposal-sets (within the policy)
- Don't forget things like (typical misconfiguration places):

• establish-tunnels immediately
• bind-interface st0.0
• host-inbound-traffic system-services ike
• external-interface 
• security policies. 
• matching keys 

Give it a try and come back if you need any help. 

Regards,

------------------------------
Yasmin Lara
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
------------------------------

Original Message:
Sent: 11-26-2020 22:11
From: Unknown User
Subject: Point-to-Multipoint Tunnel and OSPF

Hi,

I'm looking at configuring a few SRX's with IPSec tunnels, and want to configure the hub SRX with multipoint tunnels.
I will be running OSPF over these tunnels.

I've looked at the Junos docs on how to configure the tunnels, but there's not much on how OSPF will work with it.
I imagine that I should be configuring the st0 interface as point-to-multipoint in OSPF for it to work correctly.
I suspect it will work without changing the type, but I'm worried I will run into problems in the future.

Does anyone know what the best practices with this are? Can anyone share some experience in this area?


thanks

Looks like it's working so far, thanks!
Original Message:
Sent: 11-27-2020 00:17
From: Yasmin Lara
Subject: Point-to-Multipoint Tunnel and OSPF

The OSPF part is not complicated:

- Make sure the mapping between remote address and vpn name are correct!!!!  You should be able to ping the other ends of the tunnel. Are the routers on the other end Juniper?  If they are then NHTB takes care of the mappings. If not, you only need to configure the mappings manually like this:

set  interfaces st0  unit 0 multipoint
set  interfaces st0  unit 0 family inet next-hop-tunnel 10.10.1.2 ipsec-vpn VPN_SITE2
set  interfaces st0  unit 0 family inet next-hop-tunnel 10.10.1.3 ipsec-vpn VPN_SITE3
set  interfaces st0  unit 0 family inet address 10.10.1.1/24

- OSPF interface should automatically be point-to-multipoint with no issues
   (one time I had to configure it manually just to make the adjacency come up - probably old version of Junos)

- Make sure the st interface is an security zone and host-inbound-traffic allows ospf
For the VPNs:
- Make sure you do route based VPNs. 
- PHASE 1 you need 1) proposal 2) policy 3) gateway
- PHASE 2 you need 1) proposal 2) policy 3) VPN
   proposal and policies can be the same. You need one VPN and gateway per remote site.
   instead of your own proposal you can reference one the prebuilt proposal-sets (within the policy)
- Don't forget things like (typical misconfiguration places):

• establish-tunnels immediately
• bind-interface st0.0
• host-inbound-traffic system-services ike
• external-interface 
• security policies. 
• matching keys 

Give it a try and come back if you need any help. 

Regards,

------------------------------
Yasmin Lara
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT

Original Message:
Sent: 11-26-2020 22:11
From: Unknown User
Subject: Point-to-Multipoint Tunnel and OSPF

Hi,

I'm looking at configuring a few SRX's with IPSec tunnels, and want to configure the hub SRX with multipoint tunnels.
I will be running OSPF over these tunnels.

I've looked at the Junos docs on how to configure the tunnels, but there's not much on how OSPF will work with it.
I imagine that I should be configuring the st0 interface as point-to-multipoint in OSPF for it to work correctly.
I suspect it will work without changing the type, but I'm worried I will run into problems in the future.

Does anyone know what the best practices with this are? Can anyone share some experience in this area?


thanks

No issues in my experience with this type of setup.

Regards,

Elvin
Original Message:
Sent: 11-26-2020 22:11
From: Unknown User
Subject: Point-to-Multipoint Tunnel and OSPF

Hi,

I'm looking at configuring a few SRX's with IPSec tunnels, and want to configure the hub SRX with multipoint tunnels.
I will be running OSPF over these tunnels.

I've looked at the Junos docs on how to configure the tunnels, but there's not much on how OSPF will work with it.
I imagine that I should be configuring the st0 interface as point-to-multipoint in OSPF for it to work correctly.
I suspect it will work without changing the type, but I'm worried I will run into problems in the future.

Does anyone know what the best practices with this are? Can anyone share some experience in this area?


thanks