Unable to terminate an IPSec VPN tunnel, when the external interface belongs to a routing-instance.
Assume the following:
- Ge-0/0/2 is the external interface with the 1.1.1.2/30 IP address.
- Remote IPSec peer is 2.2.2.2.
- You want to route traffic from the 10.10.10.0/24 virtual router LAN to the 10.10.20.0/24 remote LAN.
- Both the internal LAN and external Internet next-hop are within the virtual router routing-instance and termed as inside.
IKE negotiations fail due to the timeout of IKE negotiations.
This article is applicable to:
- J Series devices running:
- JUNOS 9.4 and above
- JUNOS with Enhanced Services 8.5 through 9.3
- SRX Series devices
- JUNOS 10.4 below releases.
IKE messages are being sent from an incorrect interface, when the external interface and IKE gateway are in a routing-instance, other than the default instance (inet.0).
Virtual router support for VPN’s :
- Configure different subunits of the st0 interface in different routing instances – beggining with 10.4
- Configure IKE external interface in Virtual routers – beggining with 11.1
For detailed information about feature support, caveats and limitations please refer to the Junos Release notes.
Note: Terminating an IPSec site to site VPN with the external interface being in a custom routing instance of type Virtual Router is supported for Route based VPN’s.