Routing

Expand all | Collapse all

Point-to-Multipoint Tunnel and OSPF

  • 1.  Point-to-Multipoint Tunnel and OSPF

    Posted 11-26-2020 22:12
    Hi,

    I'm looking at configuring a few SRX's with IPSec tunnels, and want to configure the hub SRX with multipoint tunnels.
    I will be running OSPF over these tunnels.

    I've looked at the Junos docs on how to configure the tunnels, but there's not much on how OSPF will work with it.
    I imagine that I should be configuring the st0 interface as point-to-multipoint in OSPF for it to work correctly.
    I suspect it will work without changing the type, but I'm worried I will run into problems in the future.

    Does anyone know what the best practices with this are? Can anyone share some experience in this area?


    thanks


  • 2.  RE: Point-to-Multipoint Tunnel and OSPF

     
    Posted 11-27-2020 00:18
    The OSPF part is not complicated:

    - Make sure the mapping between remote address and vpn name are correct!!!!  You should be able to ping the other ends of the tunnel. Are the routers on the other end Juniper?  If they are then NHTB takes care of the mappings. If not, you only need to configure the mappings manually like this:


    set  interfaces st0 
    unit 0 multipoint
    set  interfaces st0  unit 0 family inet next-hop-tunnel 10.10.1.2 ipsec-vpn VPN_SITE2
    set  interfaces st0  unit 0 family inet next-hop-tunnel 10.10.1.3 ipsec-vpn VPN_SITE3
    set  interfaces st0  unit 0 family inet address 10.10.1.1/24

    - OSPF interface should automatically be point-to-multipoint with no issues
       (one time I had to configure it manually just to make the adjacency come up - probably old version of Junos)

    - Make sure the st interface is an security zone and host-inbound-traffic allows ospf
    For the VPNs:
    - Make sure you do route based VPNs. 
    - PHASE 1 you need 1) proposal 2) policy 3) gateway
    - PHASE 2 you need 1) proposal 2) policy 3) VPN
       proposal and policies can be the same. You need one VPN and gateway per remote site.
       instead of your own proposal you can reference one the prebuilt proposal-sets (within the policy)
    - Don't forget things like (typical misconfiguration places):
    • establish-tunnels immediately
    • bind-interface st0.0
    • host-inbound-traffic system-services ike
    • external-interface 
    • security policies. 
    • matching keys 

    Give it a try and come back if you need any help. 

    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 3.  RE: Point-to-Multipoint Tunnel and OSPF

    Posted 12-01-2020 15:19
    Looks like it's working so far, thanks!


  • 4.  RE: Point-to-Multipoint Tunnel and OSPF

    Posted 11-27-2020 04:16
    No issues in my experience with this type of setup.

    Regards,

    Elvin