Junos OS

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about Junos OS.
Expand all | Collapse all

Routing between VR´s using logica tunnels and OSPF

  • 1.  Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 04:11
      |   view attached
    Hello everybody,

    I'm pretty new to juniper and also if it comes to deeper network administration ( especially routing ) I'm like a young banana, so please be gentle. :)

    Also, this is the first post I'm asking for advice on because I'm struggling with this matter for weeks now.

    Basically, I would like to make them VR´s communicate with each other, starting with VR VF-3 (192.168.0.0/19) and VR VDSL (10.10.0.0/24), later I would like to use the Dynamic VPN to access the different instances as well.

    I've been using this article Understanding Logical Tunnel Interface (lt-0/0/0) on SRX branch series platforms - Juniper Networks to make it work but I don't seem to get it right.

    Verifying OSPF for VR VF-3 and VR VDSL outputs:

    root@STFWHQ> show ospf neighbor instance vdsl
    Address Interface State ID Pri Dead
    10.20.30.2 lt-0/0/0.1 Full 10.20.30.2 128 32

    root@STFWHQ> show ospf neighbor instance vf-3
    Address Interface State ID Pri Dead
    10.20.30.1 lt-0/0/0.2 Full 10.10.0.1 128 35

    Also, there is no active session checking the security flow.

    The config without NAT rules and without Screen configurations have been attached.

    ------------------------------
    Paul
    ------------------------------

    Attachment(s)

    txt
    srx_config.txt   18 KB 1 version


  • 2.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 05:58
    The reason you don't see any sessions for the ospf neighbors is because this is traffic that terminates on the SRX itself.

    Security policy and the flow table are for transit traffic, flows that come from outside the SRX and exit to an end device outside the SRX.

    Self traffic - that which either starts with the SRX itself or ends with the SRX itself (in this case both) is controlled by the security zone settings under host-inbound-traffic and does not hit policy.

    There is an option to create policy for self traffic by using the junos-host zone if you want more control or visibility.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 14:10
    When you say it does not work,  what does that mean? 

    I see the OSPF adjacency is up. 

    Regards,


  • 4.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-06-2021 20:40
    Edited by ylara 03-06-2021 20:44
    I tested it like this on my SRX, and it seems to work. 





    So, help me understand what it is that is not working for you. 

    Regards, 



  • 5.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 00:24
    Hey vlara,

    thank you for this great illustration.

    The problem was the missing intra policy which I forgot for both zones and now it's working.

    Can you tell me how to establish a dynamic VPN from one VR to another VR?

    I am able to reach all hosts in one VR with a propper working dynamic VPN but I can't reach the other VR.

    Thank you


    ------------------------------
    Paul
    ------------------------------



  • 6.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 07:28
    Sorry, that I'm having trouble understanding the topology.  And I guess I don't understand the question.

    Looking at the config the only internal connection between the virtual routers I see is the one between vr3 and dsl via the logical tunnel.

    So unless those other routers vf1 and vf2 have an external path to connect there is no way for these 4 routers to pass traffic in a full mesh.

    If there is an external path, then routing would need to be added by ospf, static or some other protocol to allow the reachability for the virtual router controlled subnets.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 7.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 10:07
    Hey Spuluka, sorry for being inaccurate haha, the issue was the missing intra-zone policy which I didn't create because it did not make sense to me.

    Anyway it's working really good for now only accessing the other VR´s through an established VPN tunnel within one certain VR is the last thing I'm struggling with right now, so the remote protected resources has been defined but I can't get through, I can't ping any host within the other subnet.

    ------------------------------
    Paul
    ------------------------------



  • 8.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 12:59
    So far in the configuration for routing only vr3 has a connection to your dsl virtual router.

    If you want to access vr1 & vf1 from the remote connection to the dsl virtual router:
    • Create a routing path to them either via another logical tunnel
    • And then add those logical tunnels to the existing or new zones for the communications
    • Make sure the traffic desired is then covered by a security policy or add a new policy for that zone to zone traffic


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 9.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 22:49
    I am assuming your working VPN is ipsec-vpn-stvpn.   

    Since this is a policy based VPN,  the only traffic that is allowed is between 192.169.0.0/24 and 192.168.0.0/19 . That would explain why you can access one VR but not the other.  I am also assuming that you are able to access routing instance vf-3, and that you are unsuccessfully trying to access routing instance vdls, which is the one connected via the lt interfaces with OSPF. 

    The other two VRs in your configuration have no communication with routing instances vf-3 and vdsl as Steve mentioned. 


    Regards, 



  • 10.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-07-2021 23:56
    Edited by Paul 03-08-2021 01:07
    Hi vlara, thank you so much and yes that is correct for the tunnel ipsec-vpn-stvpn.

    Your illustration is great, I'll use this in further posts to give a better overview of the topology. 

    But my problem is that I can not get any traffic to VDSL VR with the dynamic VPN called dyn-vpn and by the policy dyn-vpn-policy via the VF-3 VR.

    I have been creating a lot of policies thinking this is not a policy issue.

    ------------------------------
    Paul
    ------------------------------



  • 11.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-08-2021 05:53
    There is a troubleshooting tree of articles available for failure to access protected resources on dynamic vpn.

    You start with step 5 in this kb and follow the path indicated by the messages you are getting.
    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17220

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 12.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-08-2021 09:29
      |   view attached
    Hey Steve,

    thanks,  I attached the flow.

    I guess there's a problem with the traffic coming back?

    ------------------------------
    Paul
    ------------------------------

    Attachment(s)

    txt
    flow.txt   24 KB 1 version


  • 13.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-08-2021 10:02
    Check this document:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21363

    Regards, 


  • 14.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-08-2021 14:43
    Hi Yasmin,

    this seem to be suboptimal, so it's probably better deleting all VRs and put all internal zones into one together.

    I thought VRs are a good option to separate the isps.

    ------------------------------
    Paul
    ------------------------------



  • 15.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-08-2021 19:10
    Looks like your pool address for the remote client is not configured locally on the SRX so the return traffic is hitting the default route and being selected to be sent out the internet connection.

    If possible select a pool address range that is within the subnet assigned to vf3 virtual router.  Then all the internal routing will be normalized and return flow should start working.

    If that is not possible you will need to add some routes to the system so that your pool addresses are properly directed back to the vf3 virtual router for return to the clients.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 16.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-09-2021 00:04

    Hey Steve, yea putting the dynamic VPN address pool within the same subnet solved this problem but I can't ping resources within the same subnet.

    Using the proxy-arp for the interface ge-0/0/15.0 did not work either.

    set access address-assignment pool dyn-vpn-address-pool family inet network 192.168.3.0/24
    set security nat proxy-arp interface ge-0/0/15.0 address 192.168.3.1/32 to 192.168.3.254/32


    Thank you for your help, I guess I'm close :) 




    ------------------------------
    Paul
    ------------------------------



  • 17.  RE: Routing between VR´s using logica tunnels and OSPF

    Posted 03-09-2021 03:27
    Edited by Paul 03-13-2021 08:43
    Hey Steve, I guess it's working.

    Enabling proxy-arp for the specific interface made it possible.

    unit 0 {
        proxy-arp;
        family inet {
            address 192.168.0.1/19;
        }
    }​


    I can't access the srx mgmt. ip over the dynamic vpn but I'll figure that out.

    Thank you!!!


    ------------------------------
    Paul
    ------------------------------