Issue
VPN fails to route traffic through to the tunnel interface when using Route Based VPN upon a SRX platform.
The following is observed :
- Both Phase 1 and Phase 2 is successfully establishing.
- Traffic is being received inbound from the Remote Peer and decypted successfully.
- Multiple VPN policies are assigned to a single tunnel interface.
- The following error messages appear from packet-filter ouputs.
:CID-2:RT: reth1.0:10.1.10.2->172.16.1.4, icmp, (0/0)
:CID-2:RT: find flow: table 0x513a9788, hash 38416(0xffff), sa 10.1.10.2, da 172.16.1.4, sp 27686, dp 46842, proto 1, tok 7
:CID-2:RT: flow got session.
:CID-2:RT: flow session id 40098
:CID-2:RT: route lookup failed: dest-ip 172.16.1.4 orig ifp st0.0 output_ifp reth0.0 fto 0x25bc49a0 orig-zone 8 out-zone 6 vsd 0
:CID-2:RT: packet dropped, pak dropped since re-route failed
Solution
In order to successfully route traffic via the tunnel interface when using multiple VPN policies (within a Route Based VPN setup) to options are available :
- Configuring multiple tunnel interfaces and assigning a single VPN policy to each one.
- Configuring the tunnel interface as a multi-point interface. If the remote peer is not a J series or SRX device then a static NHTB entry is required.
This solution summarises the configuration steps for option A.
1. Create Multiple Tunnel Interfaces
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces st0 unit 2 family inet
2. Assign Tunnel Interfaces to Zones
set security zones security-zone vpn interfaces st0.0
set security zones security-zone vpn interfaces st0.1
set security zones security-zone vpn interfaces st0.2
3. Bind Security Policies to Tunnnel Interfaces
set security ipsec vpn ipsec-vpn-policy0 bind-interface st0.0
set security ipsec vpn ipsec-vpn-policy1 bind-interface st0.1
set security ipsec vpn ipsec-vpn-policy2 bind-interface st0.2
4. Create Routes
set routing-options static route 10.0.0.0/24 next-hop st0.0
set routing-options static route 10.1.0.0/24 next-hop st0.1
set routing-options static route 10.2.0.0/24 next-hop st0.2
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial