[j-nsp] Importing interface routes into routing instances
Tore Anderson
tore.anderson at redpill-linpro.com
Tue Aug 7 07:03:35 EDT 2012
Hi,
I'm using routing-instances and filter-based forwarding in order to
emulate policy-based VPN while actually using route-based VPNs on a SRX
cluster (I cannot use actual policy-based VPN due to the limitations
described in KB21363 and KB23082). I'm using a commit script to build
the necessary config like so (repeated for every possible srcnet/dstnet
combination for each IKE gateway):
interfaces {
st0 {
unit 0 {
description "vpn=acme-0, local=192.168.1.1/32, remote=100.64.0.0/24";
family inet;
}
[...]
}
}
security {
ipsec {
vpn acme-0 {
bind-interface st0.0;
ike {
gateway acme;
proxy-identity {
local 192.168.1.1/32;
remote 100.64.0.0/24;
}
ipsec-policy acme;
}
}
[...]
}
}
firewall {
family inet {
filter vpn-policyrouting {
term acme-0 {
from {
source-address {
192.168.1.1/32;
}
destination-address {
100.64.0.0/24;
}
}
then {
routing-instance acme-0;
}
}
[...]
}
}
}
routing-instances {
acme-0 {
instance-type forwarding;
routing-options {
static {
route 100.64.0.0/24 next-hop st0.0;
}
}
}
[...]
}
I found that this does not actually work, as acme-0.inet.0 ends up
containing no routes (not even hidden routes). However, if I import
the interface-routes RIB into that routing table, it works:
routing-options {
interface-routes {
rib-group inet interface-rib;
}
rib-groups {
interface-rib {
import-rib [ inet.0 acme-0.inet.0 [...] ]
import-policy interface-rib-import;
}
}
}
policy-options {
policy-statement interface-rib-import {
term inet.0 {
to rib inet.0;
then accept;
}
term fallthrough {
then {
reject;
}
}
}
}
What I can't wrap my head around here is that even though my
import-policy seems to me to prevent anything from being imported into
acme-0.inet.0 at all (and I can see that it does prevent other link
routes from being imported), the above config is *not* equivalent to
simply deleting "import-rib acme-0.inet.0" from under [edit
routing-options rib-groups interface-rib]. Does anyone understand why?
Best regards,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
More information about the juniper-nsp
mailing list