SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  two isp routing instance or VPN issue

    Posted 07-09-2024 06:01
      |   view attached

    Hello,

    I need some help with a two ISP BGP setup.

    I have two ISP lines and I'd like to utilize them both in peace time. So here are my requirements:
    - I want to publish my services with BGP address so whichever line is active those will be available.
    - I want to use backup line as the internes access line for the guest wifi networks
    - I also want to use the backup line's host address as a secondary MX and a secondary DNS. 
    - I also have several S2S VPNs what I want to terminate on the loopback adapter so make VPN redundant by the BGP.  

    These last two requiremts makes me headache for a time

    Scenario A

    based on this description:
    https://supportportal.juniper.net/s/article/SRX-Source-based-routing-configuration-example?language=en_US
    -I used two routing instances (forwarding types)
    -BGP is okay, 
    -I can use second isp lines for Internet browsing by guests.
    -I can terminate VPN in loopback interface. VPN is up and okay
    -I cannot use isp2 host address to publish any service, because the reply packets will always be calculated to use isp1' line.

    Scenario B


    -I used two routing instances (similar to scenario A) as virtual routers, so it will always use the correct interface for the reply packets.
    -BGP is okay, 
    -I can use second isp lines for Internet browsing by guests.
    -I can publish my SMTP server
    -VPN is not working because I have to place lo0.0 interface into the default routing instance (i used a separate zone for that with correct policies), not to the isp1 or isp2
        I don't know the reaseon but I cannot see the ike or icmp packets arriving into the loopback interface with monitor traffic, I cannot see those packets in a basic datapath tracefile, but I can see the flow session for the icmp packets and I can ping the loopback interface from outside. However I cannot see the flow session for the ike packets.
    In this scenario when I place st0.1 and lo0.0 into the primary routing instance, VPN will come up immediatly.

    In this scenario I don't understant why I cannot see the packets in the traceoption....

    Scenario C

    -I used one default routing instances for everything except a second-isp-dmz zone where I places my SMTP server. So I can 
    -BGP is okay, 
    -I can use second isp lines for Internet browsing by hosts from the dmz routing instance. (if I place the guest to this routing-imnstance that is working too)
    -I can terminate VPN in loopback interface. VPN is up and okay
    -I cannot use isp2 host address to publish any service, the flow is calculated against the default routing instance and there the isp1 line is the active.

    As I workaround I tried :
     -to make firewall filters to put the packets into the dmz routing instance (input filter isp2)
     -to set up destination NAT with routing instance
     



    ------------------------------
    Balázs Bajmóczi
    ------------------------------

    Attachment(s)

    txt
    scenario_b.txt   3 KB 1 version


  • 2.  RE: two isp routing instance or VPN issue

    Posted 07-09-2024 11:21

    Personally, I prefer Scenario B, but instead of a single VPN on lo0, I put two VPNs on the external interfaces in isp1 and isp2 (the st0 interfaces can be in whatever routing instance you need them to be) and then just run OSPF or BGP on the st0 interfaces for site-to-site traffic.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: two isp routing instance or VPN issue

    Posted 07-10-2024 01:59

    Hello Nikolay,

    thanks for your reply, yes it can be a workaround. Now I have VPNs on that address (now it is the interface address and I'm before the BGP change), so the change will be more smooth if I don't depend on a couple other parties and don't change the address of the VPN.  It could work if I do the change with the loopback interface moved to the isp1 routing instance and after the BGP change I'll replace the gateway address of the VPNs one by one with customers to the two independent IP address. 

    Do you have any idea why VPN packets are not reaching loopback adapter in Scenario B?

    Thanks,

    Balázs



    ------------------------------
    Balázs Bajmóczi
    ------------------------------



  • 4.  RE: two isp routing instance or VPN issue

    Posted 07-10-2024 12:15

    Not sure. Try show security packet-drop record to see if something shows up in there.

    Here's another horrifying workaround you could try: put lo0.0 in isp1 with address 194.1.1.10/32 and lo0.1 in isp2 with the same address 194.1.1.10/32.

    Also, there's really no need for st0 to be in the same zone / routing-instance as the external interface for the VPN. In fact, in most cases it shouldn't be in the same zone. The st0 interface is not involved with the IKE / ESP traffic, it just pushes the packets that go in and out of the VPN.



    ------------------------------
    Nikolay Semov
    ------------------------------