SRX

 View Only
last person joined: 4 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Next Hop Tunnel Binding IPSEC VPN

    Posted 09-09-2009 19:59

    I am attemptingto setup multiple ipsec vpn's on a single, unnumbered tunnel interface (st0.0) with next-hop-tunnel binding.  I have the following:

     

     

    set interfaces st0.0 multipoint

    set interfaces st0.0 family inet next-hop-tunnel X.X.X.X ipsec-vpn ipsec-vpn-X

     

    set routing-options static route Y.Y.Y.Y/24 next-hop st0.0

    set routing-options static route Z.Z.Z.Z/24 next-hop st0.0

     

    set security ipsec policy ipsec-policy-X proposal-set standard

    set security ipsec vpn ipsec-vpn-X bind-interface st0.0

    set security ipsec vpn ipsec-vpn-X ike gateway ike-gate-X ipsec-policy ipsec-policy-X

    set security ipsec vpn ipsec-vpn-X establish-tunnels immediately

     

    set security ike policy ike-policy-X mode main

    set security ike policy ike-policy-X proposal-set standard

    set security ike policy ike-policy-X  pre-shared-key ascii-test xxxxxxxxxxxxxxxxxxxxxxxxxxxx

     

    set security ike gateway ike-gate-X ike-policy ike-policy-X
    set security ike gateway ike-gate-X address X.X.X.X
    set security ike gateway ike-gate-X external-interface ge-0/0/0

    This doesn't work currenly, but as soon as I take out the next hop, multipoint, and st0.0 interface binding on the other ipsec vpn, it works.  The vpn gets created (the establish-tunnels immediately takes care of this i assume), but no traffic will flow until i do the former. 

     

    I have done similar setups in screenos, but this doesn't appear to work in junos at least with unnumbered tunnel interfaces.  Any ideas?  Do i need to have an ip address on the tunnel interfaces? Should I just use another tunnel interface?  I'd rather do neither.



  • 2.  RE: Next Hop Tunnel Binding IPSEC VPN
    Best Answer

    Posted 09-10-2009 03:22
    When you use ScreenOS and NHTB you have to set outgonig interface and the next-hop ip in the route. The next-hop ip must mach the ip in NHTB table to select the correct VPN. In JUNOS I didn't see yet a way to select st0.x and a nexthop IP in setting a static route. So just try set adress on the interface and route to the IP instead of the interface and it should work.


  • 3.  RE: Next Hop Tunnel Binding IPSEC VPN

    Posted 09-10-2009 13:08

    Have you tried using the remote sides st0.0 IP address instead of st0.0 - This is an accepted configuration. I have used this in single vpn setup - not tried it in multi-site as you are doing but I would say "give it a shot!"

     



  • 4.  RE: Next Hop Tunnel Binding IPSEC VPN

    Posted 09-10-2009 20:42
    have you tried qualified routes


  • 5.  RE: Next Hop Tunnel Binding IPSEC VPN

    Posted 09-14-2009 14:46

    Kevin

     

    I wanted to do this without numbering the tunnel interfaces, but it appears that in order to use next-hop-tunneling, that is what needs to be done. 


    #tunnels
    #IPSec
    #multiple