[j-nsp] SRX, UDP traffic, routing asymmetry

Per Westerlund p1 at westerlund.se
Thu Dec 6 05:58:49 EST 2012


To follow up my own post (even more to follow), here is the config you use
on a J-series router to put it in router-mode. Nothing magic, just some
configuration. This will work with SRX as well, there is nothing J-series
specific in here. This config is found in
/etc/config/jsr-series-routermode-factory.conf, and the box I picked it from
was running Junos 10.2R4.8

It is a starting point, you the modify it to your taste. This will give you
(almost) routing properties, with IPsec available.

One of the problems that might hit you if you have lots of unrelated
traffic, is that you run out of sessions. You are still running in flow
mode, there are still sessions created, but you allow any packet to start a
new session. If you have asymmetric flows, the existing flows are never
closed properly, but always time out instead.

/Per

Here is the config:

adm_perw at segotrt01> file show /etc/config/jsr-series-routermode-factory.conf
| no-more
## This configuration is used to transition a box to router mode.
##

system {
    syslog {
        file messages {
            any any;
        }
    }
    services {
        telnet;
        ssh;
        web-management {
            http {
                interface [ ge-0/0/0.0 ];
            }
        }
    }
}

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
             }
        }
    }
}

security {
    flow {
        allow-dns-reply;
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
    forwarding-options {
        family {
            iso {
                mode packet-based;
            }
            inet6 {
                mode packet-based;
            }
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        msrpc disable;
        sunrpc disable;
    }
}

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Per Westerlund
Sent: den 3 december 2012 06:57
To: Dale Shaw
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SRX, UDP traffic, routing asymmetry

SRX as router with IPsec?

Have you tried Router Context? Most docs talk about J-series, but it works
with SRX as well.

If you need security (as in policies and zones) as well, there is selective
packet mode. I have done some work in that area, and can give details later
(right now I'm off-line and soon asleep).

/Per

Sent from my iPad, please ignore stupid spelling corrections!

3 dec 2012 kl. 04:48 skrev Dale Shaw <dale.shaw+j-nsp at gmail.com>:

> 
> 
> cheers,
> Dale (..on the never-ending quest to make SRXs behave like routers
w/IPsec)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list