Route Based site to site Ipsec vpn with Non juniper Peer having multiple subnets

How multipoint tunnel interface can be used to avoid configuring multiple virtual router for individual ipsec vpn tunnel interface st0.x

Assume a customer has a network setup like below and he wants to use route based ipsec vpn.

route-based-site-site-ipsec-vpn-non-juniper-peer-multiple-subnets
Since there are multiple subnets behind peer device we need to create multiple ipsec vpn on srx, for ex 3 in this case.
This will cause problems in routing traffic for destination 10.10.10.0/24 from srx as it will have three next hop st0.0, st0.1, st0.2 .
One way to avoid this routing problem is to use virtual router for every st0.x interface and use one static route in each vr.
But it will require a lot of configuration changes and route sharing between LAN VR’s and st0.x interface VR’s.
There is a simple solution to this using a single multipoint st0.x interface as described below.

Below are the main points that we need to keep in mind while configuring multipoint route based vpn .
1.configure a numbered multipoint st0.x interface and configure next hop tunnel binding.
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet address 1.1.1.254/24

2.use next hop tunnel binding for routing traffic over related ipsec vpn where next-hop-tunnel addresses are dummy ip addresses used to bind traffic to specific vpn.
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.1.1 ipsec-vpn mumbai_vpn1
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.1.2 ipsec-vpn mumbai_vpn2
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.1.3 ipsec-vpn mumbai_vpn3

Note: It’s not necessary that remote end device should have a numbered tunnel interface with ip address as next-hop-tunnel address. These are dummy ip addresses solely used by srx in differentiating traffic for specific vpn . Make sure that you configure dummy ip addresses from the same subnet as st0.x interface ip otherwise route for remote subnet will not be active in routing table.

3.Configure route for remote subnet with next hop address same as next-hop-tunnel address.
set routing-options static route 192.168.10.0/24 next-hop 1.1.1.1
set routing-options static route 192.168.20.0/24 next-hop 1.1.1.2
set routing-options static route 192.168.30.0/24 next-hop 1.1.1.3

Complete VPN configuration as follows.
set interfaces st0 unit 0 multipoint
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.1.1 ipsec-vpn mumbai_vpn1
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.1.2 ipsec-vpn mumbai_vpn2
set interfaces st0 unit 0 family inet next-hop-tunnel 1.1.1.3 ipsec-vpn mumbai_vpn3
set interfaces st0 unit 0 family inet address 1.1.1.254/24

set security ike policy ike_policy mode main
set security ike policy ike_policy proposal-set standard
set security ike policy ike_policy pre-shared-key ascii-text “$9$RidcrKX7V4aUM8aUjH5TRhS”
set security ike gateway mumbai ike-policy ike_policy
set security ike gateway mumbai address 192.168.1.6
set security ike gateway mumbai external-interface ge-0/0/0.0

set security ipsec policy ipsec_policy proposal-set standard
set security ipsec vpn mumbai_vpn1 bind-interface st0.0
set security ipsec vpn mumbai_vpn1 ike gateway mumbai
set security ipsec vpn mumbai_vpn1 ike proxy-identity local 10.10.10.0/24
set security ipsec vpn mumbai_vpn1 ike proxy-identity remote 192.168.10.0/24
set security ipsec vpn mumbai_vpn1 ike ipsec-policy ipsec_policy
set security ipsec vpn mumbai_vpn1 establish-tunnels immediately
set security ipsec vpn mumbai_vpn2 bind-interface st0.0
set security ipsec vpn mumbai_vpn2 ike gateway mumbai
set security ipsec vpn mumbai_vpn2 ike proxy-identity local 10.10.10.0/24
set security ipsec vpn mumbai_vpn2 ike proxy-identity remote 192.168.20.0/24
set security ipsec vpn mumbai_vpn2 ike ipsec-policy ipsec_policy
set security ipsec vpn mumbai_vpn2 establish-tunnels immediately
set security ipsec vpn mumbai_vpn3 bind-interface st0.0
set security ipsec vpn mumbai_vpn3 ike gateway mumbai
set security ipsec vpn mumbai_vpn3 ike proxy-identity local 10.10.10.0/24
set security ipsec vpn mumbai_vpn3 ike proxy-identity remote 192.168.30.0/24
set security ipsec vpn mumbai_vpn3 ike ipsec-policy ipsec_policy
set security ipsec vpn mumbai_vpn3 establish-tunnels immediately

set routing-options static route 192.168.10.0/24 next-hop 1.1.1.1
set routing-options static route 192.168.20.0/24 next-hop 1.1.1.2
set routing-options static route 192.168.30.0/24 next-hop 1.1.1.3

set security zones security-zone vpn interfaces st0.0

Verification:

 

About the author

James Palmer

Leave a Comment