Hello Everyone,
I need to run multicast between my two Juniper SRX 320's. I currently have a VPN established between them and I have configured a GRE tunnel to run through the VPN as well. However, when I check the routes it is showing the inside traffic is traversing ST0.0 and not GR-0/0/0. I have configured a route statement specifying I want the inside traffic to be reached via GRE, but it is still traverse the wrong tunnel. Any clue on what I need to change to make this work so I can use a dynamic routing protocol?
Configs are below (Routes included with remote inside route highlighted):
## Last changed: 2023-05-17 15:43:10 UTC
version 23.1R1.8;
system {
host-name ***********;
root-authentication {
encrypted-password "*************"; ## SECRET-DATA
}
login {
user ******* {
uid 2000;
class super-user;
authentication {
encrypted-password "******"; ## SECRET-DATA
}
}
}
services {
ssh;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
time-zone UTC;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file interactive-commands {
interactive-commands any;
}
file messages {
any notice;
authorization info;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
ike {
proposal *_VPN {
authentication-method pre-shared-keys;
dh-group group19;
encryption-algorithm aes-256-gcm;
lifetime-seconds 28800;
}
policy *_VPN {
reauth-frequency 0;
proposals *_VPN;
pre-shared-key ascii-text "*******"; ## SECRET-DATA
}
gateway *_VPN {
ike-policy *_VPN;
address 1.*.*;
dead-peer-detection {
optimized;
interval 10;
threshold 5;
}
local-identity inet 1.*.*;
remote-identity inet 1.*.*;
external-interface ge-0/0/0;
version v2-only;
fragmentation {
size 576;
}
}
}
ipsec {
proposal *_VPN {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}
policy *_VPN {
perfect-forward-secrecy {
keys group19;
}
proposals *_VPN;
}
vpn *_VPN {
bind-interface st0.0;
df-bit clear;
copy-outer-dscp;
ike {
gateway *_VPN;
ipsec-policy *_VPN;
}
traffic-selector ts-1 {
local-ip 172.16.40.0/24;
remote-ip 172.16.30.0/24;
}
traffic-selector ts-2 {
local-ip 192.168.4.0/24;
remote-ip 192.168.3.0/24;
}
establish-tunnels immediately;
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy IN_TO_OUT {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy OUT_TO_IN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone GR-VPN {
policy TRUST_TO_VPN {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone GR-VPN to-zone trust {
policy VPN_TO_TRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.4;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
dl0.0 {
host-inbound-traffic {
system-services {
tftp;
}
}
}
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone GR-VPN {
interfaces {
st0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
gr-0/0/0.0;
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp {
retransmission-interval 5;
force-discover;
}
}
}
}
gr-0/0/0 {
unit 0 {
tunnel {
source 172.16.40.1;
destination 172.16.30.1;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members *;
}
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 10.0.40.1/24;
}
}
}
cl-1/0/0 {
dialer-options {
pool 1 priority 100;
}
}
dl0 {
unit 0 {
family inet {
negotiate-address;
}
family inet6 {
negotiate-address;
}
dialer-options {
pool 1;
dial-string 1234;
always-on;
}
}
}
irb {
unit 4 {
family inet {
address 192.168.4.1/24;
}
}
}
st0 {
unit 0 {
family inet {
mtu 1420;
address 172.16.40.1/24;
}
}
}
}
}
}
}
}
}
vlans {
* {
vlan-id 4;
l3-interface irb.4;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
routing-options {
static {
route 192.168.3.0/24 next-hop gr-0/0/0.0;
}
}
[edit]
root@**********# run show route detail
172.16.30.0/24 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 1375
Address: 0x4484b74
Next-hop reference count: 4, key opaque handle: 0x0, non-key opaque handle: 0x0
Next hop: via st0.0, selected
Session Id: 0
State: <Active Int NSR-incapable>
Age: 43:25
Validation State: unverified
Task: RPD Unix Domain Server./var/run/rpd_serv.local
Announcement bits (2): 0-KRT 1-Resolve tree 1
AS path: I
Thread: junos-main
172.16.40.0/24 (1 entry, 1 announced)
*Direct Preference: 0
Next hop type: Interface, Next hop index: 0
Address: 0x4484be4
Next-hop reference count: 1, key opaque handle: 0x0, non-key opaque handle: 0x0
Next hop: via st0.0, selected
State: <Active Int>
Age: 43:25
Validation State: unverified
Task: IF
Announcement bits (1): 1-Resolve tree 1
AS path: I
Thread: junos-main
172.16.40.1/32 (1 entry, 1 announced)
*Local Preference: 0
Next hop type: Local, Next hop index: 0
Address: 0x4484324
Next-hop reference count: 6, key opaque handle: 0x0, non-key opaque handle: 0x0
Next hop:
Interface: st0.0
State: <Active NoReadvrt Int>
Age: 43:25
Validation State: unverified
Task: IF
Announcement bits (1): 1-Resolve tree 1
AS path: I
Thread: junos-main
192.168.3.0/24 (1 entry, 1 announced)
*Static Preference: 5
Next hop type: Router, Next hop index: 1375
Address: 0x4484b74
Next-hop reference count: 4, key opaque handle: 0x0, non-key opaque handle: 0x0
Next hop: via st0.0, selected
Session Id: 0
State: <Active Int NSR-incapable>
Age: 24:07
Validation State: unverified
Task: RPD Unix Domain Server./var/run/rpd_serv.local
Announcement bits (2): 0-KRT 1-Resolve tree 1
AS path: I
Thread: junos-main
192.168.4.0/24 (1 entry, 1 announced)
*Direct Preference: 0
Next hop type: Interface, Next hop index: 0
Address: 0x4484a24
Next-hop reference count: 1, key opaque handle: 0x0, non-key opaque handle: 0x0
Next hop: via irb.4, selected
State: <Active Int>
Age: 1w0d 0:11:26
Validation State: unverified
Task: IF
Announcement bits (1): 1-Resolve tree 1
AS path: I
Thread: junos-main
192.168.4.1/32 (1 entry, 1 announced)
*Local Preference: 0
Next hop type: Local, Next hop index: 0
Address: 0x4484324
Next-hop reference count: 6, key opaque handle: 0x0, non-key opaque handle: 0x0
Next hop:
Interface: irb.4
State: <Active NoReadvrt Int>
Age: 1w0d 0:11:26
Validation State: unverified
Task: IF
Announcement bits (1): 1-Resolve tree 1
AS path: I
Thread: junos-main
[edit]
root@*********# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7413452 UP 5e5b0197c30afaf0 adb118e415dff957 IKEv2 1.*.*
[edit]
root@*************# run show security ipsec security-associations
Total active tunnels: 2 Total Ipsec sas: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<67108872 ESP:aes-gcm-256/None f8c0f5f7 962/ unlim - root 500 1.*.*
>67108872 ESP:aes-gcm-256/None 1fa0bd4c 962/ unlim - root 500 1.*.*
<67108873 ESP:aes-gcm-256/None 941468e 2120/ unlim - root 500 1.*.*
>67108873 ESP:aes-gcm-256/None 7ac38d13 2120/ unlim - root 500 1.*.*
------------------------------
MATTHEW LOVELAND
------------------------------