SRX

Hi all,

I have two VRF's (LAN virtual-router and  WAN virtual-router) at two sites on two Juniper SRX firewalls, is it possible to do the following:

- I want to form IKE phase 1 via the WAN-VRF on the WAN facing interface using:

set security ike gateway gateway-1 external-interface ge-0/0/1.10

 The interesting traffic, however, originates inside the LAN VRF including tunnel interfaces.

set routing-instances WAN-VRF instance-type virtual-router
set routing-instances WAN-VRF interface ge-0/0/1.10
set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
set routing-instances LAN-VRF instance-type virtual-router
set routing-instances LAN-VRF interface ge-0/0/3.10
set routing-instances LAN-VRF interface st0.1

My main requirement is that the WAN-VRF just has a default route to the service provider (above) and holds no routes to the LAN-VRF for security purposes. Inside the LAN-VRF are all the VPN interesting traffic and routes, because of the security requirement I cannot do any route leaking from the LAN-VRF to the WAN-VRF, because later down the line more LAN-VRFs will be created and they could have the same IP addressing scheme.

Is there any way to achieve this?

Thanks.

Hello,

---

@jjelliott1821 wrote:

 

Is there any way to achieve this?

 

 

---

Yes. AFAIK, terminating IKE on physical or loopback interface inside routing instance is supported on SRX since long time.

Ditto for placing ST0 interface units in different routing instances.

You just need to add 0/0 routes into Your LAN-VRF and WAN-VRF, verify Your security policies to allow necessary traffic, make sure You enable necessary host-generated-traffic options. double-check Your lo0.0 filter if You have any and You are good to go unless You have a really ancient JUNOS version, like 10.0<something>.

HTH

Thx

Alex

Hi Aarseniev,

Thanks for the information.

The current static routes I have are:

set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
set security zones security-zone WAN-VRF interfaces ge-0/0/2.10 host-inbound-traffic system-services ping
set security zones security-zone WAN-VRF interfaces ge-0/0/2.10 host-inbound-traffic system-services ike
set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ping
set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ike

set security policies from-zone LAN-VRF to-zone ESN-VRF policy any match source-address any
set security policies from-zone LAN-VRF to-zone ESN-VRF policy any match destination-address any
set security policies from-zone LAN-VRF to-zone ESN-VRF policy any match application any
set security policies from-zone LAN-VRF to-zone ESN-VRF policy any then permit
set security policies from-zone ESN-VRF to-zone LAN-VRF policy any match source-address any
set security policies from-zone ESN-VRF to-zone LAN-VRF policy any match destination-address any
set security policies from-zone ESN-VRF to-zone LAN-VRF policy any match application any
set security policies from-zone ESN-VRF to-zone LAN-VRF policy any then permit

ge-0/0/2.10 is the external interface for IKE, I cant ping anything in WAN-VRF with the current 0/0 route on LAN-VRF, should it be different? Currently I am using next-table feature.

Hello,

I labbed up You config with JUNOS 15.1X49 and it works fine AS LONG AS:

a/ there is a route from "anything in WAN-VRF" You are presumably pinging back to prefixes in LAN-VRF;

OR

b/ You are doing source NAT for Your traffic.

I don't see source NAT rules in Your SRX config snippet You shared, please post the complete sanitized SRX config and topology to t'shoot further.

HTH

Thx

Alex 

Hi Alex,

Here is my configuration at the moment and the routing table output. 80.1.1.2 is reachable in the WAN-VRF, which is the gateway address of the other side of the site-to-site VPN.

ping routing-instance WAN-VRF 80.1.1.2
PING 80.1.1.2 (80.1.1.2): 56 data bytes
64 bytes from 80.1.1.2: icmp_seq=0 ttl=61 time=318.450 ms
64 bytes from 80.1.1.2: icmp_seq=1 ttl=61 time=23.258 ms
64 bytes from 80.1.1.2: icmp_seq=2 ttl=61 time=13.519 ms

The phase 1 tunnel is not up, however, I think this may be due to no interesting traffic?

Essentially the purpose of this is to have LAN-VRF subnet 172.16.10.0/24 to reach 172.16.30.0/24 on the other side of the VPN, whilst the tunnel interface st0.1 resides in LAN-VRF and the physical external interface resides in WAN-VRF. I also don't want  WAN-VRF to not be aware of any of the LAN-VRF subnets in its routing table, so I can learn how to keep this separate. Some example of how this can be done would be very much appreciated.

set system host-name DC1
set system root-authentication encrypted-password "$1$BMZ9QGMQ$gbwTxvGtvmoeEHEv1QggQ1"
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 10 vlan-id 10
set interfaces ge-0/0/1 unit 10 family inet address 20.1.1.2/30
set interfaces ge-0/0/3 vlan-tagging
set interfaces ge-0/0/3 unit 10 vlan-id 10
set interfaces ge-0/0/3 unit 10 family inet address 172.16.10.1/24
set interfaces ge-0/0/3 unit 20 vlan-id 20
set interfaces ge-0/0/3 unit 20 family inet address 172.16.20.1/24
set interfaces st0 unit 1 family inet mtu 1436
set security ike traceoptions file size 750k
set security ike traceoptions file files 10
set security ike traceoptions flag policy-manager
set security ike traceoptions flag ike
set security ike traceoptions flag routing-socket
set security ike proposal proposal-1 authentication-method pre-shared-keys
set security ike proposal proposal-1 dh-group group19
set security ike proposal proposal-1 authentication-algorithm sha-256
set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
set security ike proposal proposal-1 lifetime-seconds 86400
set security ike policy policy-1 mode main
set security ike policy policy-1 proposals proposal-1
set security ike policy policy-1 pre-shared-key ascii-text "$9$VtsgJikP36AGD6Ap0hcbs2"
set security ike gateway gateway-1 ike-policy policy-1
set security ike gateway gateway-1 address 80.1.1.2
set security ike gateway gateway-1 no-nat-traversal
set security ike gateway gateway-1 external-interface ge-0/0/1.10
set security ike gateway gateway-1 version v2-only
set security ipsec proposal secproposal-1 protocol esp
set security ipsec proposal secproposal-1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal secproposal-1 encryption-algorithm aes-128-cbc
set security ipsec proposal secproposal-1 lifetime-seconds 3600
set security ipsec policy secpolicy-1 perfect-forward-secrecy keys group19
set security ipsec policy secpolicy-1 proposals secproposal-1
set security ipsec vpn secvpn-1 bind-interface st0.1
set security ipsec vpn secvpn-1 ike gateway gateway-1
set security ipsec vpn secvpn-1 ike ipsec-policy secpolicy-1
set security ipsec vpn secvpn-1 establish-tunnels immediately
set security address-book WAN-VRF attach zone WAN-VRF
set security address-book LAN-VRF attach zone LAN-VRF
set security address-book LAN-2-VRF attach zone LAN-2-VRF
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match source-address any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match destination-address any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match application any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any then permit
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match source-address any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match destination-address any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match application any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any then permit
set security zones security-zone WAN-VRF host-inbound-traffic system-services ike
set security zones security-zone WAN-VRF host-inbound-traffic system-services ping
set security zones security-zone WAN-VRF interfaces ge-0/0/1.10 host-inbound-traffic system-services ike
set security zones security-zone WAN-VRF interfaces ge-0/0/1.10 host-inbound-traffic system-services ping
set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ping
set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ike
set security zones security-zone LAN-2-VRF interfaces ge-0/0/3.20 host-inbound-traffic system-services ike
set security zones security-zone LAN-2-VRF interfaces ge-0/0/3.20 host-inbound-traffic system-services ping
set routing-instances WAN-VRF instance-type virtual-router
set routing-instances WAN-VRF interface ge-0/0/1.0
set routing-instances WAN-VRF interface ge-0/0/1.10
set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
set routing-instances LAN-VRF instance-type virtual-router
set routing-instances LAN-VRF interface ge-0/0/3.10
set routing-instances LAN-VRF interface st0.1
set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
set routing-instances LAN-2-VRF instance-type virtual-router
set routing-instances LAN-2-VRF interface ge-0/0/3.20

show route:
WAN-VRF.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:14:36
                    > to 20.1.1.1 via ge-0/0/1.10
20.1.1.0/30        *[Direct/0] 00:14:36
                    > via ge-0/0/1.10
20.1.1.2/32        *[Local/0] 00:14:38
                      Local via ge-0/0/1.10

LAN-VRF.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:15:02
                      to table WAN-VRF.inet.0
172.16.10.0/24     *[Direct/0] 00:14:36
                    > via ge-0/0/3.10
172.16.10.1/32     *[Local/0] 00:14:38
                      Local via ge-0/0/3.10
172.16.30.0/24     *[Static/5] 00:14:52
                    > via st0.1

LAN-2-VRF.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

172.16.20.0/24     *[Direct/0] 00:14:36
                    > via ge-0/0/3.20
172.16.20.1/32     *[Local/0] 00:14:38
                      Local via ge-0/0/3.20

Thankyou

Hello,

It works in my lab with Your config as below (slightly modified for interface names and DH group):

set security ike proposal proposal-1 authentication-method pre-shared-keys
set security ike proposal proposal-1 dh-group group5
set security ike proposal proposal-1 authentication-algorithm sha-256
set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
set security ike proposal proposal-1 lifetime-seconds 86400
set security ike policy policy-1 mode main
set security ike policy policy-1 proposals proposal-1
set security ike policy policy-1 pre-shared-key ascii-text "$9$VtsgJikP36AGD6Ap0hcbs2"
set security ike gateway gateway-1 ike-policy policy-1
set security ike gateway gateway-1 address 80.1.1.2
set security ike gateway gateway-1 no-nat-traversal
set security ike gateway gateway-1 external-interface ge-0/0/0.0
set security ike gateway gateway-1 version v2-only
set security ipsec proposal secproposal-1 protocol esp
set security ipsec proposal secproposal-1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal secproposal-1 encryption-algorithm aes-128-cbc
set security ipsec proposal secproposal-1 lifetime-seconds 3600
set security ipsec policy secpolicy-1 perfect-forward-secrecy keys group5
set security ipsec policy secpolicy-1 proposals secproposal-1
set security ipsec vpn secvpn-1 bind-interface st0.1
set security ipsec vpn secvpn-1 ike gateway gateway-1
set security ipsec vpn secvpn-1 ike ipsec-policy secpolicy-1
set security ipsec vpn secvpn-1 establish-tunnels immediately
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match source-address any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match destination-address any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match application any
set security policies from-zone LAN-VRF to-zone WAN-VRF policy any then permit
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match source-address any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match destination-address any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match application any
set security policies from-zone WAN-VRF to-zone LAN-VRF policy any then permit
set security zones security-zone LAN-VRF host-inbound-traffic system-services all
set security zones security-zone LAN-VRF host-inbound-traffic protocols all
set security zones security-zone LAN-VRF interfaces ge-0/0/1.0
set security zones security-zone LAN-VRF interfaces st0.1
set security zones security-zone WAN-VRF host-inbound-traffic system-services ping
set security zones security-zone WAN-VRF host-inbound-traffic system-services ssh
set security zones security-zone WAN-VRF host-inbound-traffic system-services ike
set security zones security-zone WAN-VRF interfaces ge-0/0/0.0
set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.10.1/24
set interfaces st0 unit 1 description "IPsec to SRX2"
set interfaces st0 unit 1 family inet mtu 1436
set routing-instances LAN-VRF instance-type virtual-router
set routing-instances LAN-VRF interface ge-0/0/1.0
set routing-instances LAN-VRF interface st0.1
set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
set routing-instances WAN-VRF instance-type virtual-router
set routing-instances WAN-VRF interface ge-0/0/0.0
set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.2

Verification:

regress@FW1> show security ike sa 
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
2724959 UP     79ee962d64f0f88e  bdd8d7675bf603d6  IKEv2          80.1.1.2        

regress@FW1> show security ipsec sa 
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131074 ESP:aes-cbc-128/sha256 297cfe73 3538/ unlim - root 500 80.1.1.2        
  >131074 ESP:aes-cbc-128/sha256 260bc29f 3538/ unlim - root 500 80.1.1.2        


regress@FW1> show route table WAN-VRF 

WAN-VRF.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:25:57
                    > to 20.1.1.2 via ge-0/0/0.0
20.1.1.0/24        *[Direct/0] 00:28:19
                    > via ge-0/0/0.0
20.1.1.1/32        *[Local/0] 00:28:19
                      Local via ge-0/0/0.0

regress@FW1> show route table LAN-VRF    

LAN-VRF.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 06:37:18
                      to table WAN-VRF.inet.0
172.16.10.0/24     *[Direct/0] 00:16:32
                    > via ge-0/0/1.0
172.16.10.1/32     *[Local/0] 00:16:32
                      Local via ge-0/0/1.0
172.16.30.0/24     *[Static/5] 00:01:45
                    > via st0.1

Topology:

SRX FW1[ge-0/0/0]-----R1-------R2--------[ge-0/0/0]SRX FW2

Ping from LAN-VRF towards any destination EXCEPT 172.16.30.0/24 does not work, and this is expected because You did not share NAT rules. 

Once I add NAT rule as below, ping from LAN-VRF towards 80.1.1.2 works

set security nat source rule-set ifnat from routing-instance LAN-VRF
set security nat source rule-set ifnat to interface ge-0/0/0.0
set security nat source rule-set ifnat rule ifnat-1 match source-address 172.16.10.0/24
set security nat source rule-set ifnat rule ifnat-1 match destination-address 0.0.0.0/0
set security nat source rule-set ifnat rule ifnat-1 then source-nat interface

- BUT - You can see it ONLY in "show security flow sesson" because returning traffic does NOT have a route from WAN-VRF  to Your LAN-VRF private IPs and this is actually one of Your requirements:

regress@FW1> ping 80.1.1.1 source 172.16.10.1 routing-instance LAN-VRF    
PING 80.1.1.1 (80.1.1.1): 56 data bytes
(no response, but see below)

regress@FW1# run show security flow session  source-prefix 172.16.10.1    
Session ID: 791, Policy name: self-traffic-policy/1, Timeout: 2, Valid
  In: 172.16.10.1/78 --> 80.1.1.1/35878;icmp, Conn ID: 0x0, If: .local..7, Pkts: 1, Bytes: 84,  <<<< ICMP ECHO REQUEST
  Out: 80.1.1.1/35878 --> 20.1.1.1/19509;icmp, Conn ID: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, <<<< ICMP ECHO RESPONSE

Session ID: 792, Policy name: self-traffic-policy/1, Timeout: 2, Valid
  In: 172.16.10.1/79 --> 80.1.1.1/35878;icmp, Conn ID: 0x0, If: .local..7, Pkts: 1, Bytes: 84, <<<< ICMP ECHO REQUEST
  Out: 80.1.1.1/35878 --> 20.1.1.1/12774;icmp, Conn ID: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, <<<< ICMP ECHO RESPONSE
Total sessions: 2

HTH

Thx

Alex

Alex, many thanks for your assistance, everything worked and the NAT rule has helped LAN-VRF get to the internet without WAN-VRF having a route which is scalable for me when i create more VRF's.

Only thing I had to add was a policy INTRA policy between LAN-VRF to LAN-VRF otherwise the VPN traffic could not talk.

Thanks.

Hi all,

I have an srx located in the data center. The plan is to use the IPSec dial tunnel between the SRX and multiple clients. The plan is to share the IP address of the SRX endpoint to all clients, except for a separate routing table. On the Cisco platform, I'm used to using VRFs which allow us to separate data traffic from clients. Is something similar possible with srx?
If yes, how does it work with vrf to separate traffic from vpn.
the diagram below illustrates the expected results

Thanks

In Junos you will use routing-instance function with the virtual route type.

You put interfaces into virtual routers and they will each maintain their own separate routing table.  The private address intefaces for each of your vpn groups would be placed into the virtual router. 

Your public address for the tunnel endpoint will remain in the default main routing instance with no additional configuration required and that can be shared by all the tunnels.

https://www.juniper.net/documentation/en_US/junos/topics/concept/routing-instances-overview.html

Thank you for your reply.

If i do this can a share a BGP routing table in each routing instance ? 

if your have a exemple of this type of configuration with a dialup VPN can you show me please .

Regards