Hi Adrian,
Sorry was on a long summer holiday...
Unfortunately, it looks like there is current limitation SRX SVR where it cannot be behind a NAT. I tried in the past configuring behind a NAT and couldn't succeed, and I also compared the SVR metadata with a SSR router behind a NAT. That's why I think currently there is a limitation.
I also tried once to hack the SRX config with same IP behind a NAT, but couldn't succeed - my idea was to configure the originating public IP on the internal interface and do a double NAT so inside SRX should be like: SVR interface 1.1.1.1 <-NAT-> 10.10.10.10 <-NAT-> 1.1.1.1 <-> WAN
Not sure if that could be done, but due to lack if time I couldn't spent more time for it.
Regards,
Ivan
------------------------------
Ivan Stanev
------------------------------
Original Message:
Sent: 07-10-2023 13:13
From: ADRIAN PISTOL
Subject: SRX and SSR / Conductor intergration
Hello Ivan,
I would love to get some guidance around configuring two SRX's - one being behind NAT - to run SVR and route traffic over it, perhaps with BGP!
Your snippet was quite enlightening, much more so than the docs for "vector-routing" and it would make me very happy if you could share more infos!
If you have any more SRX-side configs I can learn more from, I'd be oh so happy.
Kind Regards,
Adrian.
------------------------------
ADRIAN PISTOL
Original Message:
Sent: 11-16-2022 08:50
From: Ivan
Subject: SRX and SSR / Conductor intergration
Hi,
Here is a sample of working configuration between SRX and SSR using SVR (vector routing):
SRX side
services { vector-routing { authority-name Authority128; cipher-suites { vsrx { authentication-disabled; encryption-disabled; } internal { authentication-disabled; encryption-disabled; } } router vsrx-222 { node vsrx-222 { interfaces { ge-0/0/1.0; ge-0/0/0.0 { adjacency { adj1 { address 1.2.3.4; peer 128R8-Budapest; cipher-suite vsrx; } adj2 { address 2.3.4.5; peer TA-DC-Router; cipher-suite vsrx; } } cipher-suite vsrx; } } } peer { 128R8-Budapest { authority Authority128; router 128R8-Budapest; } TA-DC-Router { authority Authority128; router TA-DC-Router; } } service-routes { sr1 { peer 128R8-Budapest; destination-service server1; } sr2 { peer TA-DC-Router; destination-service DC-LAN; } } } source-tenants { host1-zone { ip-prefix 192.168.246.2/32; interfaces { ge-0/0/1.0; } } Budapest-tenants { ip-prefix 10.0.128.0/24; interfaces { ge-0/0/1.0; } } } destination-services { vsrx-222-lan { ip-prefix 192.168.246.0/24; access-policy Budapest-tenants permission allow; cipher-suite vsrx; } server1 { ip-prefix 10.0.128.65/32; transport { tcp; icmp; } access-policy host1-zone permission allow; cipher-suite vsrx; } DC-LAN { ip-prefix 10.19.15.0/24; transport { tcp; udp; icmp; } access-policy host1-zone permission allow; cipher-suite vsrx; } } meta-bfd { desired-tx-interval 1000; required-min-rx-interval 1000; link-test-interval 1; multiplier 3; } }}interfaces { ge-0/0/0 { unit 0 { description untrust; family inet { address 1.1.1.1; } } } ge-0/0/1 { unit 0 { description trust; family inet { address 192.168.246.1/24; } } }}
On the SSR side
router TA-DC-Router name TA-DC-Router peer vsrx-222 name vsrx-222 authority-name Authority128 router-name vsrx-222 exit node node1 name node1 device-interface WAN1 name WAN1 pci-address 0000:02:00.0 capture-filter len>0 network-interface WAN1 name WAN1 global-id 1 conductor true neighborhood wan1 name wan1 topology hub vector wan1 path-mtu-discovery enabled true exit exit inter-router-security internal source-nat true management false address 2.3.4.5 ip-address 2.3.4.5 prefix-length 27 gateway 2.3.4.6 exit adjacency 1.1.1.1 vsrx-222 ip-address 1.1.1.1 peer vsrx-222 inter-router-security internal external-nat-address 1.1.1.1 exit exit exit device-interface LAN name LAN pci-address 0000:02:00.1 capture-filter len>0 network-interface LAN name LAN global-id 2 neighborhood lan-dc name lan-dc exit tenant DC-LAN inter-router-security internal source-nat false address 10.19.15.1 ip-address 10.19.15.1 prefix-length 24 gateway 10.19.15.254 service-route DC-LAN-sr name DC-LAN-sr service-name DC-LAN next-hop node1 LAN node-name node1 interface LAN gateway-ip 10.19.15.254 exit exit tenant DC-LAN name DC-LAN exit tenant host1-zone name host1-zone member vsrx-222 neighborhood vsrx-222 address 192.168.246.2/32 exit exit security vsrx name vsrx encrypt false hmac-mode disabled exit service DC-LAN name DC-LAN security vsrx address 10.19.15.0/24 access-policy host1-zone source host1-zone exit source-nat disabled exit
SVR is working on both SRX and vSRX, and it should work on NFX as well using version:
version 21.4R2.10;
You should see that the peering is up before the SRV interconnection will work:
show services vector-routing peer-summaryLogical-system or Tenant Peer adjacency status------------------------------------------------------------------------------------------root-logical-system TA-DC-Router adj2 UP
Please note that some naming must match in both sides (SRX and SSR), for example Authority name, Router name, Service name, Tenant name, Security policy name, etc.
This example is without encryption between nodes and later will post another example with encryption and how to configure it.
Hope it helps,
Ivan
------------------------------
Ivan Stanev
Original Message:
Sent: 07-11-2022 05:22
From: DUSTY MORRISON
Subject: SRX and SSR / Conductor intergration
Hi Dustin,
I saw that SVR was introduced as a feature for SRX in Junos 21.4, but the release note below doesn't mention anything about Conductor (or Mist post v6.0 release) integration. Is this on the roadmap for SRX? It would be great to be able to deploy SRXs with full Conductor based SVR and interoperability with SSRs.
https://www.juniper.net/documentation/us/en/software/junos/release-notes/21.4/junos-release-notes-21.4r1/topics/new-features/feature-descriptions/routing-policy-and-firewall-filters-6.html
Cheers
Dusty
------------------------------
DUSTY MORRISON
Original Message:
Sent: 07-05-2022 12:37
From: Dustin Goss
Subject: SRX and SSR / Conductor intergration
The SRX does not currently support the SVR protocol. Integration would be accomplished through standard routing protocols just as if you are connecting to any other router. Please elaborate if you need further assistance.
------------------------------
Dustin Goss
System Engineer Tech Lead
Original Message:
Sent: 06-30-2022 09:01
From: Unknown User
Subject: SRX and SSR / Conductor intergration
Hello all
I'm looking for configuration example for integration between SRX and SSR.
Can someone help with this?
Thanks