SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Routing Instance VPN Solution

    Posted 04-03-2020 09:50

    Hi all,

     

    I have two VRF's (LAN virtual-router and  WAN virtual-router) at two sites on two Juniper SRX firewalls, is it possible to do the following:

     

    - I want to form IKE phase 1 via the WAN-VRF on the WAN facing interface using:

    set security ike gateway gateway-1 external-interface ge-0/0/1.10

     The interesting traffic, however, originates inside the LAN VRF including tunnel interfaces.

    set routing-instances WAN-VRF instance-type virtual-router
    set routing-instances WAN-VRF interface ge-0/0/1.10
    set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
    set routing-instances LAN-VRF instance-type virtual-router
    set routing-instances LAN-VRF interface ge-0/0/3.10
    set routing-instances LAN-VRF interface st0.1
    

     

    My main requirement is that the WAN-VRF just has a default route to the service provider (above) and holds no routes to the LAN-VRF for security purposes. Inside the LAN-VRF are all the VPN interesting traffic and routes, because of the security requirement I cannot do any route leaking from the LAN-VRF to the WAN-VRF, because later down the line more LAN-VRFs will be created and they could have the same IP addressing scheme.

     

    Is there any way to achieve this?

     

    Thanks.


    #vpn
    #routing-instance
    #vrf
    #IPSec
    #virtual-router


  • 2.  RE: Routing Instance VPN Solution

    Posted 04-03-2020 21:58

    Hello,

     


    @jjelliott1821 wrote:

     

    Is there any way to achieve this?

     

     


     

    Yes. AFAIK, terminating IKE on physical or loopback interface inside routing instance is supported on SRX since long time.

    Ditto for placing ST0 interface units in different routing instances.

    You just need to add 0/0 routes into Your LAN-VRF and WAN-VRF, verify Your security policies to allow necessary traffic, make sure You enable necessary host-generated-traffic options. double-check Your lo0.0 filter if You have any and You are good to go unless You have a really ancient JUNOS version, like 10.0<something>.

    HTH

    Thx

    Alex

     

     



  • 3.  RE: Routing Instance VPN Solution

    Posted 04-04-2020 08:48

    Hi Aarseniev,

     

    Thanks for the information.

     

    The current static routes I have are:

    set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
    set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
    set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
    set security zones security-zone WAN-VRF interfaces ge-0/0/2.10 host-inbound-traffic system-services ping
    set security zones security-zone WAN-VRF interfaces ge-0/0/2.10 host-inbound-traffic system-services ike
    set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ping
    set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ike

    set security policies from-zone LAN-VRF to-zone ESN-VRF policy any match source-address any
    set security policies from-zone LAN-VRF to-zone ESN-VRF policy any match destination-address any
    set security policies from-zone LAN-VRF to-zone ESN-VRF policy any match application any
    set security policies from-zone LAN-VRF to-zone ESN-VRF policy any then permit
    set security policies from-zone ESN-VRF to-zone LAN-VRF policy any match source-address any
    set security policies from-zone ESN-VRF to-zone LAN-VRF policy any match destination-address any
    set security policies from-zone ESN-VRF to-zone LAN-VRF policy any match application any
    set security policies from-zone ESN-VRF to-zone LAN-VRF policy any then permit

    ge-0/0/2.10 is the external interface for IKE, I cant ping anything in WAN-VRF with the current 0/0 route on LAN-VRF, should it be different? Currently I am using next-table feature.

     



  • 4.  RE: Routing Instance VPN Solution

    Posted 04-05-2020 02:03

    Hello,

    I labbed up You config with JUNOS 15.1X49 and it works fine AS LONG AS:

    a/ there is a route from "anything in WAN-VRF" You are presumably pinging back to prefixes in LAN-VRF;

    OR

    b/ You are doing source NAT for Your traffic.

    I don't see source NAT rules in Your SRX config snippet You shared, please post the complete sanitized SRX config and topology to t'shoot further.

    HTH

    Thx

    Alex 



  • 5.  RE: Routing Instance VPN Solution

    Posted 04-05-2020 06:54

    Hi Alex,

     

    Here is my configuration at the moment and the routing table output. 80.1.1.2 is reachable in the WAN-VRF, which is the gateway address of the other side of the site-to-site VPN.

    ping routing-instance WAN-VRF 80.1.1.2
    PING 80.1.1.2 (80.1.1.2): 56 data bytes
    64 bytes from 80.1.1.2: icmp_seq=0 ttl=61 time=318.450 ms
    64 bytes from 80.1.1.2: icmp_seq=1 ttl=61 time=23.258 ms
    64 bytes from 80.1.1.2: icmp_seq=2 ttl=61 time=13.519 ms

     

    The phase 1 tunnel is not up, however, I think this may be due to no interesting traffic?

     

    Essentially the purpose of this is to have LAN-VRF subnet 172.16.10.0/24 to reach 172.16.30.0/24 on the other side of the VPN, whilst the tunnel interface st0.1 resides in LAN-VRF and the physical external interface resides in WAN-VRF. I also don't want  WAN-VRF to not be aware of any of the LAN-VRF subnets in its routing table, so I can learn how to keep this separate. Some example of how this can be done would be very much appreciated.

     

     

    set system host-name DC1
    set system root-authentication encrypted-password "$1$BMZ9QGMQ$gbwTxvGtvmoeEHEv1QggQ1"
    set interfaces ge-0/0/0 unit 0
    set interfaces ge-0/0/1 vlan-tagging
    set interfaces ge-0/0/1 unit 10 vlan-id 10
    set interfaces ge-0/0/1 unit 10 family inet address 20.1.1.2/30
    set interfaces ge-0/0/3 vlan-tagging
    set interfaces ge-0/0/3 unit 10 vlan-id 10
    set interfaces ge-0/0/3 unit 10 family inet address 172.16.10.1/24
    set interfaces ge-0/0/3 unit 20 vlan-id 20
    set interfaces ge-0/0/3 unit 20 family inet address 172.16.20.1/24
    set interfaces st0 unit 1 family inet mtu 1436
    set security ike traceoptions file size 750k
    set security ike traceoptions file files 10
    set security ike traceoptions flag policy-manager
    set security ike traceoptions flag ike
    set security ike traceoptions flag routing-socket
    set security ike proposal proposal-1 authentication-method pre-shared-keys
    set security ike proposal proposal-1 dh-group group19
    set security ike proposal proposal-1 authentication-algorithm sha-256
    set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
    set security ike proposal proposal-1 lifetime-seconds 86400
    set security ike policy policy-1 mode main
    set security ike policy policy-1 proposals proposal-1
    set security ike policy policy-1 pre-shared-key ascii-text "$9$VtsgJikP36AGD6Ap0hcbs2"
    set security ike gateway gateway-1 ike-policy policy-1
    set security ike gateway gateway-1 address 80.1.1.2
    set security ike gateway gateway-1 no-nat-traversal
    set security ike gateway gateway-1 external-interface ge-0/0/1.10
    set security ike gateway gateway-1 version v2-only
    set security ipsec proposal secproposal-1 protocol esp
    set security ipsec proposal secproposal-1 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal secproposal-1 encryption-algorithm aes-128-cbc
    set security ipsec proposal secproposal-1 lifetime-seconds 3600
    set security ipsec policy secpolicy-1 perfect-forward-secrecy keys group19
    set security ipsec policy secpolicy-1 proposals secproposal-1
    set security ipsec vpn secvpn-1 bind-interface st0.1
    set security ipsec vpn secvpn-1 ike gateway gateway-1
    set security ipsec vpn secvpn-1 ike ipsec-policy secpolicy-1
    set security ipsec vpn secvpn-1 establish-tunnels immediately
    set security address-book WAN-VRF attach zone WAN-VRF
    set security address-book LAN-VRF attach zone LAN-VRF
    set security address-book LAN-2-VRF attach zone LAN-2-VRF
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match source-address any
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match destination-address any
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match application any
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any then permit
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match source-address any
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match destination-address any
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match application any
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any then permit
    set security zones security-zone WAN-VRF host-inbound-traffic system-services ike
    set security zones security-zone WAN-VRF host-inbound-traffic system-services ping
    set security zones security-zone WAN-VRF interfaces ge-0/0/1.10 host-inbound-traffic system-services ike
    set security zones security-zone WAN-VRF interfaces ge-0/0/1.10 host-inbound-traffic system-services ping
    set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ping
    set security zones security-zone LAN-VRF interfaces ge-0/0/3.10 host-inbound-traffic system-services ike
    set security zones security-zone LAN-2-VRF interfaces ge-0/0/3.20 host-inbound-traffic system-services ike
    set security zones security-zone LAN-2-VRF interfaces ge-0/0/3.20 host-inbound-traffic system-services ping
    set routing-instances WAN-VRF instance-type virtual-router
    set routing-instances WAN-VRF interface ge-0/0/1.0
    set routing-instances WAN-VRF interface ge-0/0/1.10
    set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.1
    set routing-instances LAN-VRF instance-type virtual-router
    set routing-instances LAN-VRF interface ge-0/0/3.10
    set routing-instances LAN-VRF interface st0.1
    set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
    set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
    set routing-instances LAN-2-VRF instance-type virtual-router
    set routing-instances LAN-2-VRF interface ge-0/0/3.20
    show route:
    WAN-VRF.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 00:14:36
                        > to 20.1.1.1 via ge-0/0/1.10
    20.1.1.0/30        *[Direct/0] 00:14:36
                        > via ge-0/0/1.10
    20.1.1.2/32        *[Local/0] 00:14:38
                          Local via ge-0/0/1.10
    
    LAN-VRF.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 00:15:02
                          to table WAN-VRF.inet.0
    172.16.10.0/24     *[Direct/0] 00:14:36
                        > via ge-0/0/3.10
    172.16.10.1/32     *[Local/0] 00:14:38
                          Local via ge-0/0/3.10
    172.16.30.0/24     *[Static/5] 00:14:52
                        > via st0.1
    
    LAN-2-VRF.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    172.16.20.0/24     *[Direct/0] 00:14:36
                        > via ge-0/0/3.20
    172.16.20.1/32     *[Local/0] 00:14:38
                          Local via ge-0/0/3.20

    Thankyou

     



  • 6.  RE: Routing Instance VPN Solution
    Best Answer

    Posted 04-05-2020 08:51

    Hello,

    It works in my lab with Your config as below (slightly modified for interface names and DH group):

     

     

    set security ike proposal proposal-1 authentication-method pre-shared-keys
    set security ike proposal proposal-1 dh-group group5
    set security ike proposal proposal-1 authentication-algorithm sha-256
    set security ike proposal proposal-1 encryption-algorithm aes-128-cbc
    set security ike proposal proposal-1 lifetime-seconds 86400
    set security ike policy policy-1 mode main
    set security ike policy policy-1 proposals proposal-1
    set security ike policy policy-1 pre-shared-key ascii-text "$9$VtsgJikP36AGD6Ap0hcbs2"
    set security ike gateway gateway-1 ike-policy policy-1
    set security ike gateway gateway-1 address 80.1.1.2
    set security ike gateway gateway-1 no-nat-traversal
    set security ike gateway gateway-1 external-interface ge-0/0/0.0
    set security ike gateway gateway-1 version v2-only
    set security ipsec proposal secproposal-1 protocol esp
    set security ipsec proposal secproposal-1 authentication-algorithm hmac-sha-256-128
    set security ipsec proposal secproposal-1 encryption-algorithm aes-128-cbc
    set security ipsec proposal secproposal-1 lifetime-seconds 3600
    set security ipsec policy secpolicy-1 perfect-forward-secrecy keys group5
    set security ipsec policy secpolicy-1 proposals secproposal-1
    set security ipsec vpn secvpn-1 bind-interface st0.1
    set security ipsec vpn secvpn-1 ike gateway gateway-1
    set security ipsec vpn secvpn-1 ike ipsec-policy secpolicy-1
    set security ipsec vpn secvpn-1 establish-tunnels immediately
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match source-address any
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match destination-address any
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any match application any
    set security policies from-zone LAN-VRF to-zone WAN-VRF policy any then permit
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match source-address any
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match destination-address any
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any match application any
    set security policies from-zone WAN-VRF to-zone LAN-VRF policy any then permit
    set security zones security-zone LAN-VRF host-inbound-traffic system-services all
    set security zones security-zone LAN-VRF host-inbound-traffic protocols all
    set security zones security-zone LAN-VRF interfaces ge-0/0/1.0
    set security zones security-zone LAN-VRF interfaces st0.1
    set security zones security-zone WAN-VRF host-inbound-traffic system-services ping
    set security zones security-zone WAN-VRF host-inbound-traffic system-services ssh
    set security zones security-zone WAN-VRF host-inbound-traffic system-services ike
    set security zones security-zone WAN-VRF interfaces ge-0/0/0.0
    set interfaces ge-0/0/0 unit 0 family inet address 20.1.1.1/24
    set interfaces ge-0/0/1 unit 0 family inet address 172.16.10.1/24
    set interfaces st0 unit 1 description "IPsec to SRX2"
    set interfaces st0 unit 1 family inet mtu 1436
    set routing-instances LAN-VRF instance-type virtual-router
    set routing-instances LAN-VRF interface ge-0/0/1.0
    set routing-instances LAN-VRF interface st0.1
    set routing-instances LAN-VRF routing-options static route 0.0.0.0/0 next-table WAN-VRF.inet.0
    set routing-instances LAN-VRF routing-options static route 172.16.30.0/24 next-hop st0.1
    set routing-instances WAN-VRF instance-type virtual-router
    set routing-instances WAN-VRF interface ge-0/0/0.0
    set routing-instances WAN-VRF routing-options static route 0.0.0.0/0 next-hop 20.1.1.2

     

     

     

    Verification:

     

     

     

    regress@FW1> show security ike sa 
    Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
    2724959 UP     79ee962d64f0f88e  bdd8d7675bf603d6  IKEv2          80.1.1.2        
    
    regress@FW1> show security ipsec sa 
      Total active tunnels: 1
      ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
      <131074 ESP:aes-cbc-128/sha256 297cfe73 3538/ unlim - root 500 80.1.1.2        
      >131074 ESP:aes-cbc-128/sha256 260bc29f 3538/ unlim - root 500 80.1.1.2        
    
    
    regress@FW1> show route table WAN-VRF 
    
    WAN-VRF.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 00:25:57
                        > to 20.1.1.2 via ge-0/0/0.0
    20.1.1.0/24        *[Direct/0] 00:28:19
                        > via ge-0/0/0.0
    20.1.1.1/32        *[Local/0] 00:28:19
                          Local via ge-0/0/0.0
    
    regress@FW1> show route table LAN-VRF    
    
    LAN-VRF.inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 06:37:18
                          to table WAN-VRF.inet.0
    172.16.10.0/24     *[Direct/0] 00:16:32
                        > via ge-0/0/1.0
    172.16.10.1/32     *[Local/0] 00:16:32
                          Local via ge-0/0/1.0
    172.16.30.0/24     *[Static/5] 00:01:45
                        > via st0.1

     

     

    Topology:

     

    SRX FW1[ge-0/0/0]-----R1-------R2--------[ge-0/0/0]SRX FW2

     

     

    Ping from LAN-VRF towards any destination EXCEPT 172.16.30.0/24 does not work, and this is expected because You did not share NAT rules. 

    Once I add NAT rule as below, ping from LAN-VRF towards 80.1.1.2 works

     

     

    set security nat source rule-set ifnat from routing-instance LAN-VRF
    set security nat source rule-set ifnat to interface ge-0/0/0.0
    set security nat source rule-set ifnat rule ifnat-1 match source-address 172.16.10.0/24
    set security nat source rule-set ifnat rule ifnat-1 match destination-address 0.0.0.0/0
    set security nat source rule-set ifnat rule ifnat-1 then source-nat interface

     

     

    - BUT - You can see it ONLY in "show security flow sesson" because returning traffic does NOT have a route from WAN-VRF  to Your LAN-VRF private IPs and this is actually one of Your requirements:

     

     

    regress@FW1> ping 80.1.1.1 source 172.16.10.1 routing-instance LAN-VRF    
    PING 80.1.1.1 (80.1.1.1): 56 data bytes
    (no response, but see below)
    
    regress@FW1# run show security flow session  source-prefix 172.16.10.1    
    Session ID: 791, Policy name: self-traffic-policy/1, Timeout: 2, Valid
      In: 172.16.10.1/78 --> 80.1.1.1/35878;icmp, Conn ID: 0x0, If: .local..7, Pkts: 1, Bytes: 84,  <<<< ICMP ECHO REQUEST
      Out: 80.1.1.1/35878 --> 20.1.1.1/19509;icmp, Conn ID: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, <<<< ICMP ECHO RESPONSE
    
    Session ID: 792, Policy name: self-traffic-policy/1, Timeout: 2, Valid
      In: 172.16.10.1/79 --> 80.1.1.1/35878;icmp, Conn ID: 0x0, If: .local..7, Pkts: 1, Bytes: 84, <<<< ICMP ECHO REQUEST
      Out: 80.1.1.1/35878 --> 20.1.1.1/12774;icmp, Conn ID: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 84, <<<< ICMP ECHO RESPONSE
    Total sessions: 2
    

     

     

     

    HTH

    Thx

    Alex

     

     

     



  • 7.  RE: Routing Instance VPN Solution

    Posted 04-05-2020 13:30

    Alex, many thanks for your assistance, everything worked and the NAT rule has helped LAN-VRF get to the internet without WAN-VRF having a route which is scalable for me when i create more VRF's.

     

    Only thing I had to add was a policy INTRA policy between LAN-VRF to LAN-VRF otherwise the VPN traffic could not talk.

     

    Thanks.



  • 8.  RE: Routing Instance VPN Solution

    Posted 06-19-2020 05:00

    Hi all,

    I have an srx located in the data center. The plan is to use the IPSec dial tunnel between the SRX and multiple clients. The plan is to share the IP address of the SRX endpoint to all clients, except for a separate routing table. On the Cisco platform, I'm used to using VRFs which allow us to separate data traffic from clients. Is something similar possible with srx?
    If yes, how does it work with vrf to separate traffic from vpn.
    the diagram below illustrates the expected results

    image004.jpg Thanks



  • 9.  RE: Routing Instance VPN Solution

    Posted 06-22-2020 02:54

    In Junos you will use routing-instance function with the virtual route type.

     

    You put interfaces into virtual routers and they will each maintain their own separate routing table.  The private address intefaces for each of your vpn groups would be placed into the virtual router. 

     

    Your public address for the tunnel endpoint will remain in the default main routing instance with no additional configuration required and that can be shared by all the tunnels.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/routing-instances-overview.html

     



  • 10.  RE: Routing Instance VPN Solution

    Posted 07-06-2020 00:14

    Thank you for your reply.

    If i do this can a share a BGP routing table in each routing instance ? 

    if your have a exemple of this type of configuration with a dialup VPN can you show me please .

    Regards