[j-nsp] J-series, hoping packets between routing-instances

Ben Dale bdale at comlinx.com.au
Thu Nov 7 17:34:21 EST 2013


Hi Mike,

First.. Yikes!

Second - yes this is possible.  It is perfectly legal to use FBF to bounce across routing instances and still match security policy - just ensure your security policy includes the source and destination zones for the *ultimate* destination of the flow is correct - whether it exists in the instance the traffic ends up in is ignored by the flow engine.

On 8 Nov 2013, at 12:37 am, Mike Williams <mike.williams at comodo.com> wrote:

> Hi all,
> 
> I might have painted myself into a corner here, so I'm here looking for 
> options from people far cleverer than I.
> 
> Firstly, a bit of history.
> 
> We're using J6350s, and SRX650s, as "security devices on a stick".
> Our Ms and MXs punt packets into a routing instance on the "security devices" 
> with firewall filters. Those routing instances purposely only use the most 
> basic of static routes possible (10/8, 192.168/16, etc), so we can be certain 
> what zones packets pass through so the policies match.
> 
> That all works fine.
> 
> 
> We're also centralising our inter-site IPSec onto the Js and SRXs, but need 
> OSPF there, so have a second routing-instance and a partial mesh of routed 
> tunnels between them.
> Still, all good.
> Offices and what-not have tunnels tied directly to the IPSec routing-instances 
> and OSPF metrics keep traffic flows sane.
> All hunky dory.
> 
> 
> 
> Now the problem.
> 
> I need to take traffic from servers behind an M/MX have it policy'd by the 
> "security" routing instance, then encrypted by the IPSec routing-instance.
> If I punt traffic into "security", let it come back to the router, then punt 
> it back into "ipsec", everything works as expected.
> However each packet has to pass across the M/MX<->J/SRX link 4 times, in out, 
> in out. Shake it all about.
> 
> Obviously this would be better if we could shortcut the M/MX step in the 
> middle and move packets from "security" to "ipsec", and "ipsec" to "security" 
> directly.
> 
> As "security" doesn't run OSPF/BGP/ISIS/etc adding a static route "next-table 
> ipsec.inet.0" is fine.
> "ipsec" *does* run OSPF though, so I need to do FBF to override that. I've 
> tried a "then routing-instance security" filter applied on output on the 
> interface facing the M/MX, but my traffic get lost somewhere. Security 
> policies from 'input-ipsec-zone' to 'output-security-zone' were added.
> 
> 
> I'm wondering if 'moving' packets from routing-instance to routing-instance on 
> a flow-mode device simply screws up security policies. As one of the input or 
> output interface don't exist in the routing-instance.
> So I figured *routing* packets from routing-instance to routing-instance would 
> be better. Time for some logical tunnels! J-series devices don't support 
> logical tunnels though.
> 
> Argh!
> 
> -- 
> Mike Williams
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 




More information about the juniper-nsp mailing list