This article provides a sample configuration of terminating policy-based IPSec VPN on an external-interface which belongs to a routing instance.
Cannot terminate an IPSec VPN when external interface belongs to a routing instance.
Junos provides support for Internet Key Exchange (IKE) in multiple virtual routers. This feature is supported on all SRX Series devices as listed below:
- Policy-based IPSec VPN – beginning with Junos 11.2
- Route-based IPSec VPN – beginning with Junos 11.1
The remote IKE gateway address can be in any virtual routing (VR) instance. The VR is determined during IKE Phase 1 and Phase 2 negotiation. The VR does not have to be configured in the IKE proposals. If the IKE gateway interface is moved from one VR to another, the existing IKE Phase 1 and Phase 2 negotiations for the IKE gateway are cleared, and new Phase 1 and Phase 2 negotiations are performed.
Here is a sample configuration of two sites, which are separated by the Internet cloud. At both sites external-interfaces are in custom routing-instances.
Objective is to establish policy-based IPSec VPN between these two sites. For establishing route-based IPSec VPN in this scenario
Topology:
fe-0/0/0 Green fe-0/0/1 ------Internet Cloud----- fe-0/0/1 Blue fe-0/0/0 192.168.1.0/24 10.10.10.0/30 11.11.11.0/30 192.168.2.0/24
Green Site Configuration :
version 11.1R1.10; system { host-name Green; root-authentication { encrypted-password "$1$7PrTQdM6$ib3n9kd8kS4bnH2XrneJb."; ## SECRET-DATA } } interfaces { fe-0/0/0 { unit 0 { family inet { address 192.168.1.1/24; } } } fe-0/0/1 { unit 0 { family inet { address 10.10.10.1/30; } } } } Note: Please refer to the Note at the end of this article on the need for creating rib-group. routing-options { interface-routes { rib-group inet myrib; } static { route 0.0.0.0/0 next-table green2blue.inet.0; } rib-groups { myrib { import-rib [ inet.0 green2blue.inet.0 ]; } } } security { ike { policy p1 { proposal-set standard; pre-shared-key ascii-text "$9$CGAtpOIylMNdsEcds24DjCtu"; ## SECRET-DATA } gateway green { ike-policy p1; address 11.11.11.1; external-interface fe-0/0/1.0; } } ipsec { policy p2 { proposal-set standard; } vpn mytunnel { ike { gateway green; ipsec-policy p2; } establish-tunnels immediately; } } Note: These packet-filters will help in understanding the packet flow within the flow module of SRX. Be sure to deactivate or delete them once done with troubleshooting. flow { traceoptions { file green; flag all; packet-filter 1 { source-prefix 192.168.1.5/32; destination-prefix 192.168.2.5/32; } packet-filter 2 { source-prefix 192.168.2.5/32; destination-prefix 192.168.1.5/32; } } } Note: Security policies are created in both directions, assuming that the VPN traffic can be initiated from either site. policies { from-zone green to-zone blue { policy g2b { match { source-address green; destination-address blue; application any; } then { permit { tunnel { ipsec-vpn mytunnel; } } } } } from-zone blue to-zone green { policy b2g { match { source-address blue; destination-address green; application any; } then { permit { tunnel { ipsec-vpn mytunnel; } } } } } } zones { security-zone green { address-book { address green 192.168.1.0/24; } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone blue { address-book { address blue 192.168.2.0/24; } interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { ike; ping; } } } } } } } Note: Custom routing-instance configuration, which includes the external-interface and default (static) route towards Internet. routing-instances { green2blue { instance-type virtual-router; interface fe-0/0/1.0; routing-options { static { route 0.0.0.0/0 next-hop 10.10.10.2; } } } }
Blue Site Configuration :
version 11.1R1.10; system { host-name Blue; root-authentication { encrypted-password "$1$7PrTQdM6$ib3n9kd8kS4bnH2XrneJb."; ## SECRET-DATA } } interfaces { fe-0/0/0 { unit 0 { family inet { address 192.168.2.1/24; } } } fe-0/0/1 { unit 0 { family inet { address 11.11.11.1/30; } } } } Note: Please refer to the Note at the end of this article on the need for creating rib-group. routing-options { interface-routes { rib-group inet myrib; } static { route 0.0.0.0/0 next-table blue2green.inet.0; } rib-groups { myrib { import-rib [ inet.0 blue2green.inet.0 ]; } } } security { ike { policy p1 { proposal-set standard; pre-shared-key ascii-text "$9$CGAtpOIylMNdsEcds24DjCtu"; ## SECRET-DATA } gateway blue { ike-policy p1; address 10.10.10.1; external-interface fe-0/0/1.0; } } ipsec { policy p2 { proposal-set standard; } vpn mytunnel { ike { gateway blue; ipsec-policy p2; } establish-tunnels immediately; } } flow { traceoptions { file blue; flag basic-datapath; packet-filter 1 { source-prefix 192.168.1.5/32; destination-prefix 192.168.2.5/32; } } } policies { from-zone green to-zone blue { policy g2b { match { source-address green; destination-address blue; application any; } then { permit { tunnel { ipsec-vpn mytunnel; } } } } } from-zone blue to-zone green { policy b2g { match { source-address blue; destination-address green; application any; } then { permit { tunnel { ipsec-vpn mytunnel; } } } } } } zones { security-zone green { address-book { address green 192.168.1.0/24; } interfaces { fe-0/0/1.0 { host-inbound-traffic { system-services { ike; ping; } protocols { all; } } } } } security-zone blue { address-book { address blue 192.168.2.0/24; } interfaces { fe-0/0/0.0 { host-inbound-traffic { system-services { all; } } } } } } } routing-instances { blue2green { instance-type virtual-router; interface fe-0/0/1.0; routing-options { static { route 0.0.0.0/0 next-hop 11.11.11.2; } } } }
Verification
1. Verify the routing table at both sites:
[edit] root@Green# run show route | no-more inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 01:32:35 to table green2blue.inet.0 192.168.1.0/24 *[Direct/0] 00:02:04 > via fe-0/0/0.0 192.168.1.1/32 *[Local/0] 01:51:56 Local via fe-0/0/0.0 green2blue.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:27:45 > to 10.10.10.2 via fe-0/0/1.0 10.10.10.0/30 *[Direct/0] 00:27:45 > via fe-0/0/1.0 10.10.10.1/32 *[Local/0] 00:27:45 Local via fe-0/0/1.0 192.168.1.0/24 *[Direct/0] 00:02:04 > via fe-0/0/0.0 192.168.1.1/32 *[Local/0] 00:02:04 Local via fe-0/0/0.0 [edit] root@Blue# run show route | no-more inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 01:36:29 to table blue2green.inet.0 192.168.2.0/24 *[Direct/0] 01:28:13 > via fe-0/0/0.0 192.168.2.1/32 *[Local/0] 01:36:32 Local via fe-0/0/0.0 blue2green.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:17:53 > to 11.11.11.2 via fe-0/0/1.0 192.168.2.0/24 *[Direct/0] 00:05:44 > via fe-0/0/0.0 192.168.2.1/32 *[Local/0] 00:05:44 Local via fe-0/0/0.0 11.11.11.0/30 *[Direct/0] 00:17:53 > via fe-0/0/1.0 11.11.11.1/32 *[Local/0] 00:17:53 Local via fe-0/0/1.0
2. Verify the IKE and IPSec Security Association Status at both sites:
[edit] root@Green# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 7 UP e6565d82f530db9c a20ba585b91e278d Main 11.11.11.1 [edit] root@Green# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <2 ESP:3des/sha1 3add1c08 3394/ unlim - root 500 11.11.11.1 >2 ESP:3des/sha1 e166c77f 3394/ unlim - root 500 11.11.11.1 [edit] root@Blue# run show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 1 UP e6565d82f530db9c a20ba585b91e278d Main 10.10.10.1 [edit] root@Blue# run show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <2 ESP:3des/sha1 e166c77f 3177/ unlim - root 500 10.10.10.1 >2 ESP:3des/sha1 3add1c08 3177/ unlim - root 500 10.10.10.1
Note: If the external interface is in custom routing instance at only one site and the traffic is initiated from the other site, we need to make use of rib-groups to make the internal network available in the custom routing instance. Otherwise, the default route in custom routing instance will match the traffic and incoming interface itself will be chosen as the outgoing interface. The Security Policy lookup will be done within the same zone context and packet will be dropped. If both sites external interfaces are in custom routing instances, then we need to apply rib-groups at both sites when we need bidirectional communication (traffic initiation from either site). If we need traffic to be initiated from only one site, then rib-group should be applied at the other site.
Below is a sample packet flow trace, for the traffic initiated from Blue site towards Green site (with out rib-groups). These packets get dropped at Green site because of policy deny in the context of from-zone blue to-zone blue.
Jul 7 15:49:11 15:49:11.910349:CID-0:RT:<192.168.2.5/15872->192.168.1.5/512;1> matched filter 2: Jul 7 15:49:11 15:49:11.910349:CID-0:RT:packet [60] ipid = 2976, @4091d63e Jul 7 15:49:11 15:49:11.910349:CID-0:RT:---- flow_process_pkt: (thd 1): flow_ctxt type 1, common flag 0x0, mbuf 0x4091d400, rtbl_idx = 0 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow process pak, mbuf 4091d400, ifl 0, ctxt_type 1 inq type 6 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: in_ifp <junos-self:.local..0> Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_process_pkt_exception: setting rtt in lpak to 4270d8a0 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:inq_type 0x6 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:tifp NULL Jul 7 15:49:11 15:49:11.910349:CID-0:RT:pkt out of tunnel.Proceed normally Jul 7 15:49:11 15:49:11.910349:CID-0:RT: fe-0/0/1.0:192.168.2.5->192.168.1.5, icmp, (8/0) Jul 7 15:49:11 15:49:11.910349:CID-0:RT: find flow: table 0x42fcabd0, hash 13038(0xffff), sa 192.168.2.5, da 192.168.1.5, sp 15872, dp 512, proto 1, tok 16392 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: no session found, start first path. in_tunnel - 1145201140, from_cp_flag - 0 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:self ip check: not for self (address=c0a80105) Jul 7 15:49:11 15:49:11.910349:CID-0:RT:self ip check: not for self (address=c0a80105) Jul 7 15:49:11 15:49:11.910349:CID-0:RT: flow_first_create_session Jul 7 15:49:11 15:49:11.910349:CID-0:RT:Installing pending sess (982) in ager Jul 7 15:49:11 15:49:11.910349:CID-0:RT:First path alloc and instl pending session, natp=0x444284f0, id=982 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: flow_first_in_dst_nat: in <fe-0/0/1.0>, out <N/A> dst_adr 192.168.1.5, sp 15872, dp 512 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: chose interface N/A as incoming nat if. Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.5(512) Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.2.5, x_dst_ip 192.168.1.5, in ifp fe-0/0/1.0, out ifp N/A sp 15872, dp 512, ip_proto 1, tos 0 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:Doing DESTINATION addr route-lookup Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_rt_lkup in VR-id: 4 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_rt_lkup: Found route entry 0x0x4582f210,nh id 0x22c, out if 0x49 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_rt_lkup: nh word 0x70010 Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.5, iifl 0x49, oifl 0x49 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: routed (x_dst_ip 192.168.1.5) from blue (fe-0/0/1.0 in 0) to fe-0/0/1.0, Next-hop: 10.10.10.2 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: policy search from zone blue-> zone blue (0x0,0x3e000200,0x200) Jul 7 15:49:11 15:49:11.910349:CID-0:RT: app 0, timeout 60s, curr ageout 60s Jul 7 15:49:11 15:49:11.910349:CID-0:RT: packet dropped, denied by policy Jul 7 15:49:11 15:49:11.910349:CID-0:RT:Denied by policy 2, dropping pkt Jul 7 15:49:11 15:49:11.910349:CID-0:RT: packet dropped, policy deny. Jul 7 15:49:11 15:49:11.910349:CID-0:RT:set_nat_invalid: natp:id 982, flag 169f Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_initiate_first_path: first pak no session Jul 7 15:49:11 15:49:11.910349:CID-0:RT: flow find session returns error. Jul 7 15:49:11 15:49:11.910349:CID-0:RT:flow_process_pkt_exception: Freeing lpak 3fded9b8 associated with mbuf 0x4091d400 Jul 7 15:49:11 15:49:11.910349:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)