Discussion:
[j-nsp] JunOS route-based VPN: multiple st interfaces
Jonathan Lassoff
2010-11-30 00:51:05 UTC
Permalink
I'm trying to setup an SRX in my office as a branch office with two
ISP connections, and I'd like to run an IPSec path over each back to
our datacenter. Ideally, I could terminate each tunnel on a separate
st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only
try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a
second bound to st0.1, but it would never even try to send IKE traffic
to start the connection.

So, I've got some failover working now by doing hub-and-spoke (in a
bit of a reverse fashion: one device at the datacenter, two paths to
the branch device) style config -- both VPNs are tied to st0.0 which
is configured as a multipoint interface. My only trouble now is
directing st0.0 traffic down a specific interface, it seems like there
isn't a way to tell it which VPN tunnel to prefer for sending traffic
down.

Any ideas or opinions on what the right way to do this is? I feel like
two separate st0 units makes the most sense, but it's stumping me as
to why it never tries to establish a session.

Cheers,
jof
Adam Leff
2010-11-30 02:45:09 UTC
Permalink
Jonathan-

I believe you need to look into NHTB (Next-Hop Tunnel Binding) that will
allow you to use the one st0.0 interface but bind multiple tunnels.

Check out the following doc:
http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40796.html

~Adam
Post by Jonathan Lassoff
I'm trying to setup an SRX in my office as a branch office with two
ISP connections, and I'd like to run an IPSec path over each back to
our datacenter. Ideally, I could terminate each tunnel on a separate
st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only
try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a
second bound to st0.1, but it would never even try to send IKE traffic
to start the connection.
So, I've got some failover working now by doing hub-and-spoke (in a
bit of a reverse fashion: one device at the datacenter, two paths to
the branch device) style config -- both VPNs are tied to st0.0 which
is configured as a multipoint interface. My only trouble now is
directing st0.0 traffic down a specific interface, it seems like there
isn't a way to tell it which VPN tunnel to prefer for sending traffic
down.
Any ideas or opinions on what the right way to do this is? I feel like
two separate st0 units makes the most sense, but it's stumping me as
to why it never tries to establish a session.
Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Adam Leff
2010-11-30 02:49:47 UTC
Permalink
Also, for what it's worth, I do have multiple logical interfaces under st0
(i.e. st0.0 and st0.1) and it is working without requiring NHTB. This is on
a J-series running 9.6R4.4, not an SRX, so I can't speak to your specific
setup.

Do you have all the pre-requisites set up? i.e. st0.1 in the proper
security zone, a route pointed down st0.1 for the traffic to be tunneled,
etc.?

~Adam
Post by Adam Leff
Jonathan-
I believe you need to look into NHTB (Next-Hop Tunnel Binding) that will
allow you to use the one st0.0 interface but bind multiple tunnels.
http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40796.html
~Adam
Post by Jonathan Lassoff
I'm trying to setup an SRX in my office as a branch office with two
ISP connections, and I'd like to run an IPSec path over each back to
our datacenter. Ideally, I could terminate each tunnel on a separate
st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only
try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a
second bound to st0.1, but it would never even try to send IKE traffic
to start the connection.
So, I've got some failover working now by doing hub-and-spoke (in a
bit of a reverse fashion: one device at the datacenter, two paths to
the branch device) style config -- both VPNs are tied to st0.0 which
is configured as a multipoint interface. My only trouble now is
directing st0.0 traffic down a specific interface, it seems like there
isn't a way to tell it which VPN tunnel to prefer for sending traffic
down.
Any ideas or opinions on what the right way to do this is? I feel like
two separate st0 units makes the most sense, but it's stumping me as
to why it never tries to establish a session.
Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Jonathan Lassoff
2010-11-30 08:58:45 UTC
Permalink
Post by Adam Leff
Also, for what it's worth, I do have multiple logical interfaces under st0
(i.e. st0.0 and st0.1) and it is working without requiring NHTB.
Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
"bind-interface" statement, but the iff hierarchy under st0 *doesn't*
have a "next-hop-tunnel" statement?
Post by Adam Leff
Do you have all the pre-requisites set up? ?i.e. st0.1 in the proper
security zone, a route pointed down st0.1 for the traffic to be tunneled,
etc.?
I'm pretty sure everything looks right (but just to me, so it's
certainly possible that there's a bug or two in my config). st0.1 is
in a security zone that has policies to permit vpn-monitor ICMP
traffic, and I'm not even routing over the st0.1 interface yet, just
pinging the remote end.

Cheers,
jof
Adam Leff
2010-11-30 16:19:32 UTC
Permalink
Post by Jonathan Lassoff
Post by Adam Leff
Also, for what it's worth, I do have multiple logical interfaces under
st0
Post by Adam Leff
(i.e. st0.0 and st0.1) and it is working without requiring NHTB.
Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
"bind-interface" statement, but the iff hierarchy under st0 *doesn't*
have a "next-hop-tunnel" statement?
Yes. We run either BGP or OSPF over the tunnel links, so no next-hop-tunnel
statements are required. Are you binding "st0" or the full "st0.1"
interface to your VPN?

Here's a snippet of our config. Feel free to contact me off-list with your
config and I'm happy to give it a glance.

in [edit security]:
ike {
policy phx1 {
mode main;
proposal-set compatible;
pre-shared-key ascii-text "<redacted>";
}
gateway phx1 {
ike-policy phx1;
address <redacted>;
external-interface ge-4/0/0.0;
}
}
ipsec {
vpn phx1 {
bind-interface st0.1;
vpn-monitor;
ike {
gateway phx1;
ipsec-policy compatible;
}
establish-tunnels immediately;
}
}

in [edit interfaces]:
st0 {
unit 1 {
description "VPN to PHX1";
family inet {
address 10.10.11.8/31;
}
}
}
Post by Jonathan Lassoff
Post by Adam Leff
Do you have all the pre-requisites set up? i.e. st0.1 in the proper
security zone, a route pointed down st0.1 for the traffic to be tunneled,
etc.?
I'm pretty sure everything looks right (but just to me, so it's
certainly possible that there's a bug or two in my config). st0.1 is
in a security zone that has policies to permit vpn-monitor ICMP
traffic, and I'm not even routing over the st0.1 interface yet, just
pinging the remote end.
Cheers,
jof
Fahad Khan
2010-12-12 19:31:42 UTC
Permalink
Hello Jonathan,

let me know which junos version are u using?

You should use two st0.x interfaces like st0.1 and st0.2, the primary route
should use st0.1 and the secondary route should use st0.2. It should be
straight forward. keep using VPN monitor. Use re-key and DPD for proper
tunnel failover.

Let me know if you find any difficulty.

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan
Post by Adam Leff
Post by Jonathan Lassoff
Post by Adam Leff
Also, for what it's worth, I do have multiple logical interfaces under
st0
Post by Adam Leff
(i.e. st0.0 and st0.1) and it is working without requiring NHTB.
Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
"bind-interface" statement, but the iff hierarchy under st0 *doesn't*
have a "next-hop-tunnel" statement?
Yes. We run either BGP or OSPF over the tunnel links, so no
next-hop-tunnel
statements are required. Are you binding "st0" or the full "st0.1"
interface to your VPN?
Here's a snippet of our config. Feel free to contact me off-list with your
config and I'm happy to give it a glance.
ike {
policy phx1 {
mode main;
proposal-set compatible;
pre-shared-key ascii-text "<redacted>";
}
gateway phx1 {
ike-policy phx1;
address <redacted>;
external-interface ge-4/0/0.0;
}
}
ipsec {
vpn phx1 {
bind-interface st0.1;
vpn-monitor;
ike {
gateway phx1;
ipsec-policy compatible;
}
establish-tunnels immediately;
}
}
st0 {
unit 1 {
description "VPN to PHX1";
family inet {
address 10.10.11.8/31;
}
}
}
Post by Jonathan Lassoff
Post by Adam Leff
Do you have all the pre-requisites set up? i.e. st0.1 in the proper
security zone, a route pointed down st0.1 for the traffic to be
tunneled,
Post by Jonathan Lassoff
Post by Adam Leff
etc.?
I'm pretty sure everything looks right (but just to me, so it's
certainly possible that there's a bug or two in my config). st0.1 is
in a security zone that has policies to permit vpn-monitor ICMP
traffic, and I'm not even routing over the st0.1 interface yet, just
pinging the remote end.
Cheers,
jof
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Loading...