Can an IPsec VPN tunnel be terminated when the external interface belongs to a routing instance?

Unable to terminate an IPSec VPN tunnel, when the external interface belongs to a routing-instance.

Assume the following:

  • Ge-0/0/2 is the external interface with the 1.1.1.2/30 IP address.
  • Remote IPSec peer is 2.2.2.2.
  • You want to route traffic from the 10.10.10.0/24 virtual router LAN to the 10.10.20.0/24 remote LAN.
  • Both the internal LAN and external Internet next-hop are within the virtual router routing-instance and termed as inside.

IKE negotiations fail due to the timeout of IKE negotiations.

This article is applicable to:

  • J Series devices running:
  1. JUNOS 9.4 and above
  2. JUNOS with Enhanced Services 8.5 through 9.3
  • SRX Series devices
  • JUNOS 10.4 below releases.

IKE messages are being sent from an incorrect interface, when the external interface and IKE gateway are in a routing-instance, other than the default instance (inet.0).

Virtual router support for VPN’s :

  • Configure different subunits of the st0 interface in different routing instances – beggining with 10.4
  • Configure IKE external interface in Virtual routers – beggining with 11.1

For detailed information about feature support, caveats and limitations please refer to the Junos Release notes.
Note: Terminating an IPSec site to site VPN with the external interface being in a custom routing instance of type Virtual Router is supported for Route based VPN’s.

About the author

Prasanna

Leave a Comment