Configuration Example: Policy-based IPSec VPN with external-interface in routing-instance

This article provides a sample configuration of terminating policy-based IPSec VPN on an external-interface which belongs to a routing instance.

Cannot terminate an IPSec VPN when external interface belongs to a routing instance.

Junos provides support for Internet Key Exchange (IKE) in multiple virtual routers. This feature is supported on all SRX Series devices as listed below:

  • Policy-based IPSec VPN – beginning with Junos 11.2
  • Route-based IPSec VPN – beginning with Junos 11.1

The remote IKE gateway address can be in any virtual routing (VR) instance. The VR is determined during IKE Phase 1 and Phase 2 negotiation. The VR does not have to be configured in the IKE proposals. If the IKE gateway interface is moved from one VR to another, the existing IKE Phase 1 and Phase 2 negotiations for the IKE gateway are cleared, and new Phase 1 and Phase 2 negotiations are performed.

Here is a sample configuration of two sites, which are separated by the Internet cloud. At both sites external-interfaces are in custom routing-instances.

Objective is to establish policy-based IPSec VPN between these two sites. For establishing route-based IPSec VPN in this scenario


Green Site Configuration :

Blue Site Configuration :


1. Verify the routing table at both sites:

2. Verify the IKE and IPSec Security Association Status at both sites:

Note: If the external interface is in custom routing instance at only one site and the traffic is initiated from the other site, we need to make use of rib-groups to make the internal network available in the custom routing instance. Otherwise, the default route in custom routing instance will match the traffic and incoming interface itself will be chosen as the outgoing interface. The Security Policy lookup will be done within the same zone context and packet will be dropped. If both sites external interfaces are in custom routing instances, then we need to apply rib-groups at both sites when we need bidirectional communication (traffic initiation from either site). If we need traffic to be initiated from only one site, then rib-group should be applied at the other site.

Below is a sample packet flow trace, for the traffic initiated from Blue site towards Green site (with out rib-groups). These packets get dropped at Green site because of policy deny in the context of from-zone blue to-zone blue.


About the author


Leave a Comment