[j-nsp] JunOS route-based VPN: multiple st interfaces

[Adam Leff]

On Tue, Nov 30, 2010 at 3:58 AM, Jonathan Lassoff <jof at thejof.com> wrote:

> On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff <adam at leff.co> wrote:
> > Also, for what it's worth, I do have multiple logical interfaces under
> st0
> > (i.e. st0.0 and st0.1) and it is working without requiring NHTB.
>
> Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
> "bind-interface" statement, but the iff hierarchy under st0 *doesn't*
> have a "next-hop-tunnel" statement?
>

Yes.  We run either BGP or OSPF over the tunnel links, so no next-hop-tunnel
statements are required.  Are you binding "st0" or the full "st0.1"
interface to your VPN?

Here's a snippet of our config.  Feel free to contact me off-list with your
config and I'm happy to give it a glance.

in [edit security]:
ike {
    policy phx1 {
        mode main;
        proposal-set compatible;
        pre-shared-key ascii-text "<redacted>";
    }
    gateway phx1 {
        ike-policy phx1;
        address <redacted>;
        external-interface ge-4/0/0.0;
    }
}
ipsec {
    vpn phx1 {
        bind-interface st0.1;
        vpn-monitor;
        ike {
            gateway phx1;
            ipsec-policy compatible;
        }
        establish-tunnels immediately;
    }
}

in [edit interfaces]:
st0 {
    unit 1 {
        description "VPN to PHX1";
        family inet {
            address 10.10.11.8/31;
        }
    }
}




> > Do you have all the pre-requisites set up?  i.e. st0.1 in the proper
> > security zone, a route pointed down st0.1 for the traffic to be tunneled,
> > etc.?
>
> I'm pretty sure everything looks right (but just to me, so it's
> certainly possible that there's a bug or two in my config). st0.1 is
> in a security zone that has policies to permit vpn-monitor ICMP
> traffic, and I'm not even routing over the st0.1 interface yet, just
> pinging the remote end.
>
> Cheers,
> jof
>