[j-nsp] M-series IPSEC / SP interface and VRF

Alex Arseniev alex.arseniev at gmail.com
Tue Dec 17 12:27:29 EST 2013 

For the traffic to be encrypted, the BGP nexthop has to point into the 
tunnel which means one of the below:
1/ BGP has to run inside the tunnel, or
2/ You have to have a BGP import policy to change the nexthop to 
tunnel's remote address. If this is eBGP, then also add 
"accept-remote-nexthop" knob.
HTH
Thanks
Alex

On 17/12/2013 16:08, Scott Harvanek wrote:
> So this works to establish the tunnels, the problem is, BGP received 
> routes over the tunnel do not function correctly.  The routes are 
> properly installed in the VRF but traffic to those destinations does 
> not pass correctly.  Does anyone have any experience running BGP like 
> this on the m-series or does it just not work on next-hop-style?
>
> Thanks,
> -SH
>
> On 11/12/13, 1:34 PM, Scott Harvanek wrote:
>> Yep excellent, I'll give it a whirl, thanks!
>>
>> Scott H.
>>
>> On 11/12/13, 1:24 PM, Alex Arseniev wrote:
>>> So, if I understand Your requirement, You want sp-0/0/0.<unit> in 
>>> VRF, correct?
>>> And outgoing GE interface in inet.0?
>>> And where the decrypted packets should be placed, inet.0 or VRF?
>>> And where from the to-be-ecrypted packets should arrive, from inet.0 
>>> or VRF?
>>> If the answer is "correct/inet.0/VRF/VRF" then migrate to 
>>> next-hop-style IPSec and place inside sp-* unit into the VRF leaving 
>>> outside sp-* unit in inet.0.
>>> HTH
>>> Thanks
>>> Alex
>>>
>>> On 12/11/2013 16:35, Scott Harvanek wrote:
>>>> Alex,
>>>>
>>>> Yea, tried this but it looks like you can't set it to the default 
>>>> inet.0 instance, only to things different... the local gw in my 
>>>> case is in the default instance and I want the service interface in 
>>>> another so unless I'm mistaken it's in default by default and this 
>>>> fails?
>>>>
>>>> Scott H.
>>>>
>>>> On 11/12/13, 11:22 AM, Alex Arseniev wrote:
>>>>> Yes
>>>>>
>>>>> [edit]
>>>>> aarseniev at m120# set services service-set SS1 ipsec-vpn-options 
>>>>> local-gateway ?
>>>>> Possible completions:
>>>>>   <address>            Local gateway address
>>>>>   routing-instance     Name of routing instance that hosts local 
>>>>> gateway <=====!!!! CHECK THIS OUT!!!
>>>>> aarseniev at m120> show version
>>>>> Hostname: m120
>>>>> Model: m120
>>>>> JUNOS Base OS boot [10.4S7.1]
>>>>>
>>>>> HTH
>>>>> Thanks
>>>>> Alex
>>>>>
>>>>> On 12/11/2013 16:05, Scott Harvanek wrote:
>>>>>> Anyone with any ideas on this?
>>>>>>
>>>>>> Scott H.
>>>>>>
>>>>>> On 11/9/13, 12:58 PM, Scott Harvanek wrote:
>>>>>>> Is there a way to build a IPSec tunnel / service interface where 
>>>>>>> the local gateway is NOT in the same routing-instance as the 
>>>>>>> service interface?
>>>>>>>
>>>>>>> Here's what I'm trying to do;
>>>>>>>
>>>>>>> [ router A (SRX) ] == Switch / IS-IS mesh == [ router B m10i ]
>>>>>>> [ st0.0 / VRF ] ================= [ sp-0/0/0.0 / VRF ]
>>>>>>>
>>>>>>> The problem is, I want sp-0/0/0.0 on router B in a VRF but NOT 
>>>>>>> the outside interface on router B, I cannot commit unless the 
>>>>>>> outside/local-gateway on the IPSec tunnel is in the same 
>>>>>>> routing-instance as the service interface, is there a way around 
>>>>>>> this? The SRX devices can do this without issue.
>>>>>>>
>>>>>>> service-set XXXX {
>>>>>>>     interface-service {
>>>>>>>         service-interface sp-0/0/0.0; <-- want this in a VRF
>>>>>>>     }
>>>>>>>     ipsec-vpn-options {
>>>>>>>         local-gateway x.x.x.x; <-- default routing instance
>>>>>>>     }
>>>>>>>     ipsec-vpn-rules XXXX
>>>>>>> }
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>> _______________________________________________
>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list