Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Interfaces User Guide for Security Devices Configuring Interface Encapsulation

Interfaces User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Interfaces User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configuring GRE Keepalive Time

date_range 20-Dec-24
arrow_backward
arrow_forward

Generic routing encapsulation (GRE) tunnel interfaces do not have a built-in mechanism for detecting when a tunnel is down. Keepalive messages help the GRE tunnel interfaces to detect when a tunnel is down. The topics below discuss the working and configuration of GRE keepalive time.

Understanding GRE Keepalive Time

Generic routing encapsulation (GRE) tunnel interfaces do not have a built-in mechanism for detecting when a tunnel is down. You can enable keepalive messages to serve as the detection mechanism.

Keepalive times are only configurable for the ATM-over-ADSL interface, which is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM starting in Junos OS Release 15.1X49-D10. Keepalive times are enabled by default for other interfaces.

Keepalives can be configured on the physical or on the logical interface. If configured on the physical interface, keepalives are sent on all logical interfaces that are part of the physical interface. If configured on a individual logical interface, keepalives are only sent to that logical interface. In addition to configuring a keepalive, you must configure the hold time.

You can configure the keepalives on a generic routing encapsulation (GRE) tunnel interface by including both the keepalive-time statement and the hold-time statement at the [edit protocols oam gre-tunnel interface interface-name] hierarchy level.

Note:

For proper operation of keepalives on a GRE interface, you must also include the family inet statement at the [edit interfaces interface-name unit unit] hierarchy level. If you do not include this statement, the interface is marked as down.

See Also

  • keepalive-time
  • hold-time

Configuring GRE Keepalive Time

Keepalive times are only configurable for the ATM-over-ADSL interface, which is no longer supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550HM starting in Junos OS Release 15.1X49-D10.

Configuring Keepalive Time and Hold time for a GRE Tunnel Interface

You can configure the keepalives on a generic routing encapsulation (GRE) tunnel interface by including both the keepalive-time statement and the hold-time statement at the [edit protocols oam gre-tunnel interface interface-name] hierarchy level.

Note:

For proper operation of keepalives on a GRE interface, you must also include the family inet statement at the [edit interfaces interface-name unit unit] hierarchy level. If you do not include this statement, the interface is marked as down.

To configure a GRE tunnel interface:

  1. Configure the GRE tunnel interface at [edit interfaces interface-name unit unit-number] hierarchy level, where the interface name is gr-x/y/z, and the family is set as inet.
    content_copy zoom_out_map
    user@host# set interfaces interface-name unit unit-number family family-name
  2. Configure the rest of the GRE tunnel interface options based on requirement.

To configure keepalive time for a GRE tunnel interface:

  1. Configure the Operation, Administration, and Maintenance (OAM) protocol at the [edit protocols] hierarchy level for the GRE tunnel interface.

    content_copy zoom_out_map
    [edit]
user@host# edit protocols oam

  2. Configure the GRE tunnel interface option for OAM protocol.

    content_copy zoom_out_map
    [edit protocols oam]
user@host# edit gre-tunnel interface interface-name

  3. Configure the keepalive time from 1 through 50 seconds for the GRE tunnel interface.

    content_copy zoom_out_map
    [edit protocols oam gre-tunnel interface interface-name]
user@host# set keepalive-time seconds

  4. Configure the hold time from 5 through 250 seconds. Note that the hold time must be at least twice the keepalive time.

    content_copy zoom_out_map
    [edit protocols oam gre-tunnel interface interface-name]
user@host# set hold-time seconds

Display GRE Keepalive Time Configuration

Purpose

Display the configured keepalive time value as 10 and hold time value as 30 on a GRE tunnel interface (for example, gr-1/1/10.1):

Action

To display the configured values on the GRE tunnel interface, run the show oam gre-tunnel command at the [edit protocols] hierarchy level:

content_copy zoom_out_map
[edit protocols]
user@host# show oam gre-tunnel
    interface gr-1/1/10.1 {                                                                                                       
        keepalive-time 10;                                                                                                       
        hold-time 30;                                                                                                       
    }

Display Keepalive Time Information on a GRE Tunnel Interface

Purpose

Display the current status information of a GRE tunnel interface when keepalive time and hold time parameters are configured on it and when the hold time expires.

Action

To verify the current status information on a GRE tunnel interface (for example, gr-3/3/0.3), run the show interfaces gr-3/3/0.3 terse and show interfaces gr-3/3/0.3 extensive operational commands.

show interfaces gr-3/3/0.3 terse

content_copy zoom_out_map
user@host> show interfaces gr-3/3/0.3 terse

                                                                                                                      Interface               Admin Link Proto    Local                 Remote
                                                                                                                      gr-3/3/0.3              up    up   inet     200.1.3.1/24    
                                                                                                                      mpls

show interfaces gr-3/3/0.3 extensive

content_copy zoom_out_map
user@host> show interfaces gr-3/3/0.3 extensive
Logical interface gr-3/3/0.3 (Index 73) (SNMP ifIndex 594) (Generation 900)
                                                                                                                            Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 10.1.19.11:10.1.19.12:47:df:64:0000000000000000 Encapsulation: GRE-NULL
                                                                                                                            Gre keepalives configured: On, Gre keepalives adjacency state: down
                                                                                                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                                                                                              Traffic statistics:
                                                                                                      Input  bytes  :             15629992
                                                                                                      Output bytes  :             15912273
                                                                                                      Input  packets:               243813
                                                                                                      Output packets:               179476
                                                                                                      Local statistics:
                                                                                                      Input  bytes  :             15322586
                                                                                                      Output bytes  :             15621359
                                                                                                      Input  packets:               238890
                                                                                                      Output packets:               174767
                                                                                                      Transit statistics:
                                                                                                      Input  bytes  :               307406                    0 bps
                                                                                                      Output bytes  :               290914                    0 bps
                                                                                                      Input  packets:                 4923                    0 pps
                                                                                                      Output packets:                 4709                    0 pps
                                                                                                      Protocol inet, MTU: 1476, Generation: 1564, Route table: 0
                                                                                                      Flags: Sendbcast-pkt-to-re
                                                                                                      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
                                                                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                                                                        Destination: 200.1.3/24, Local: 200.1.3.1, Broadcast: 200.1.3.255, Generation: 1366
                                                                                                        Protocol mpls, MTU: 1464, Maximum labels: 3, Generation: 1565, Route table: 0
Note:

When the hold time expires:

  • The GRE tunnel will stay up even though the interface cannot send or receive traffic.

  • The Link status will be Up and the Gre keepalives adjacency state will be Down.

Meaning

The current status information of a GRE tunnel interface with keepalive time and hold time parameters is displayed as expected when the hold time expires.

Example: GRE Configuration

Generic routing encapsulation (GRE) is an IP encapsulation protocol that is used to transport packets over a network. Information is sent from one network to the other through a GRE tunnel. GRE encapsulates a payload as a GRE packet. This GRE packet is encapsulated in an outer protocol (delivery protocol). GRE tunnel endpoints forward payloads into GRE tunnels for routing packets to the destination. After reaching the end point, GRE encapsulation is removed and the payload is transmitted to its final destination. The primary use of GRE is to carry non-IP packets through an IP network; however, GRE is also used to carry IP packets through an IP cloud.

Requirements

  • Configure a GRE (gr-) interface. The gr- interface contains a local address and destination address. It comes up as soon as it is configured. You can even configure an IP address on the gr- interface.

  • Configure a route to reach the destination subnet (end-to-end connectivity). You can configure either a static route through the gr- interface or use an interior gateway protocol (IGP) such as OSPF.

Overview

GRE tunnels are designed to be completely stateless, which means that each tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. Normally, a GRE tunnel interface comes up as soon as it is configured, and it stays up as long as there is a valid tunnel source address or interface that is up.

Configuration

By default, the local subnet interface is ge-0/0/0 with IPv4 address as 10.10.11.1/24. The destination subnet is 10.10.10.0/24 with the tunnel endpoint IPv4 interface as 10.10.10.1/24.

GRE configuration shows the default configuration between the tunnel interfaces on SRX Series Firewalls.

Figure 1: GRE Configuration GRE Configuration

Configuring a Route to Reach the Destination Subset

Step-by-Step Procedure

You can either configure a static route through the gr- interface or by using IGP.

  1. Configure the local subnet interface ge-0/0/0 interface.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.10.11.1/24

  2. Configure the interface ge-0/0/1.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.12.1/24

  3. Configure the gr- tunnel endpoints and specify the source address, destination address, and family as inet for the tunnel endpoints.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces gr-0/0/0  unit 0 tunnel source 10.1.12.1 destination 10.1.23.1
user@host# set interfaces gr-0/0/0 unit 0 family inet address 192.168.1.1/24

  4. The configured interfaces are bound to a security zone at the [edit security] hierarchy level. Use the show zones command to view the zones. Configure the zones as follows:

    content_copy zoom_out_map
    [edit security zones security-zones trust]]
user@host# set host-inbound-traffic system-services all 
user@host# set host-inbound-traffic protocols all 
user@host# set interfaces gr-0/0/0.0 
user@host# set zones zone names protocols all
    content_copy zoom_out_map
    [edit security zones security-zones untrust]]
user@host# set host-inbound-traffic system-services all 
user@host# set host-inbound-traffic protocols all

  5. View the configured interfaces at the [edit interfaces] hierarchy level using the show command.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set routing options static route 10.10.10.0/24 next hop gr-0/0/0.0

  6. In case you do not want to define a static route, OSPF can be configured between gr-0/0/0 interfaces on both the sides and internal subnet as passive neighbor, to receive all the internal routes. Configure OSPF at the [edit protocols] hierarchy level and view it using the show command.

    content_copy zoom_out_map
    [edit protocols]
user@host# set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
Results

In configuration mode, confirm your configuration on the devices by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

GRE configuration using the static route:

content_copy zoom_out_map
[edit interfaces]
root@SRX-1# show 
ge-0/0/0 {
    unit 0 {
        family inet {
            address 10.10.11.1/24;
        }
    }
}

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 10.1.12.1;
            destination 10.1.23.1;
        }
        family inet {
            address 192.168.1.1/24;
        }
    }
}

ge-0/0/1 {
    unit 0 {
        family inet {
            address 10.1.12.1/24;
        }
    }                                   
}

[edit security]
root@SRX-1# show 
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            gr-0/0/0.0;
        }
    }
}

root@SRX-1# show routing-options 
static {
    route 10.10.10.0/24 next-hop gr-0/0/0.0;
}

GRE configuration using OSPF configured between interfaces gr-0/0/0 on both sides and internal subnet as passive neighbor:

content_copy zoom_out_map
[edit protocols]
root@SRX-1# show 
ospf {
    area 0.0.0.0 {
        interface gr-0/0/0.0;
        interface ge-0/0/0.0 {
            passive;
        }
    }
}

Verification

To verify that the configuration of GRE on the SRX Series Firewall is successful, perform the following tasks:

Verification of the GRE Interfaces

Purpose

Verify that the GRE interfaces are up.

Action

Run the show interfaces command at the [edit interfaces] hierarchy level:

content_copy zoom_out_map
show interfaces gr-0/0/0 terse
[edit interfaces]
Interface Admin Link Proto Local Remote
gr-0/0/0   up up
gr-0/0/0.0 up up inet 192.168.1.1/24

Verification of the Route

Purpose

Verify that the route for the destination network is reachable through the GRE tunnel interface.

Action

Run the show route forwarding-table matching 10.10.10.0/24 command at the [edit interfaces] hierarchy level:

content_copy zoom_out_map
[edit interfaces]
user@router# run show route forwarding-table matching 10.10.10.0/24 
Routing table: default.inet
Internet:
 ....
Destination        Type RtRef Next hop           Type Index    NhRef Netif
10.10.10.0/24      user     0                    ucst      595     2 gr-0/0/0.0

Verification of Traffic Through GRE Tunnel

Purpose

Send the traffic to the destination subnet and verify when the GRE interface is up.

Action

Run the show interfaces gr-0/0/0 extensive operational command. Also verify that the packets are leaving through the gr- interface.

content_copy zoom_out_map
user@host> show interfaces gr-0/0/0 extensive 
Physical interface: gr-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 40, Generation: 17
Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Statistics last cleared: 2005-08-05 21:39:41 UTC (00:00:47 ago)
Traffic statistics:
Input bytes : 8400 0 bps
Output bytes : 8400 0 bps
Input packets: 100 0 pps
Output packets: 100 0 pps

Logical interface gr-0/0/0.0 (Index 72) (SNMP ifIndex 28) (Generation 17)
Flags: Point-To-Point SNMP-Traps 16384
IP-Header 10.1.12.1:10.1.23.1:47:df:64:0000000000000000
Encapsulation: GRE-NULL
Traffic statistics:
Input bytes : 8400
Output bytes : 8400
Input packets: 100
Output packets: 100
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 8400 0 bps
Output bytes : 8400 0 bps
Input packets: 100 0 pps
Output packets: 100 0 pps
Protocol inet, MTU: 1476, Generation: 25, Route table: 0
Flags: None
Addresses, Flags: Is-Primary
Destination: Unspecified, Local: 192.168.0.1, Broadcast: Unspecified,
Generation: 30

See Also

Example: Configuring GRE over IPsec Tunnels

Requirements

Overview

GRE tunnels offer minimal security, whereas an IPsec tunnel offers enhanced security in terms of confidentiality, data authentication, and integrity assurance. Also, IPsec cannot directly support multicast packets. However, if an encapsulated GRE tunnel is used first, an IPsec tunnel can then be used to provide security to the multicast packet. In a GRE over IPsec tunnel, all of the routing traffic (IP and non-IP) can be routed through. When the original packet (IP/non-IP) is GRE encapsulated, it has an IP header as defined by the GRE tunnel, normally the tunnel interface IP addresses. The IPsec protocol can understand the IP packet; so it encapsulates the GRE packet to make it GRE over IPsec.

The basic steps involved in configuring GRE over IPsec are as follows:

  • Configure the route-based IPsec tunnel.

  • Configure the GRE tunnel.

  • Configure a static route with the destination as the remote subnet through the gr- interface.

  • Configure the static route for the GRE endpoint with the st0 interface as next hop.

Configuration

In this example, the default configuration has the local subnet interface as ge-0/0/0 with the IPv4 address as 10.10.11.1/24. The destination subnet is 10.10.10.0/24. The gr-0/0/0 interface tunnel endpoints are loopback addresses on both the sides, with the local loopback IPv4 address as 172.20.1.1 and the remote loopback IPv4 address as 172.20.1.2. The gr-0/0/0, st0 and lo0 interfaces are bound to a security zone and policies are created accordingly.

Configuring a GRE interface over an IPsec tunnel

Step-by-Step Procedure

  1. Configure the GRE at the [set interfaces interface-name unit unit-number] hierarchy level, where the interface name is ge-0/0/0, and the family is set as inet.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.10.11.1/24

  2. Configure the gr- tunnel endpoints and specify the source address, destination address, and family as inet for the tunnel endpoints.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces gr-0/0/0  unit 0 tunnel source 172.20.1.1 destination 172.20.1.2 
user@host# set interfaces gr-0/0/0  unit 0 family inet 192.168.1.1/24

  3. Similarly configure the lo0 and st0 interface with the family set as inet.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces lo0 unit 0 family inet address 172.20.1.1/32
    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces st0 unit 0 family inet

  4. Confifure the GRE interfaces with security zones. Use the show zones command to view the zones, where the configured tunnel interfaces, lo0 and st0 are displayed.

    content_copy zoom_out_map
    [edit security zones security-zones trust]]
user@host# set host-inbound-traffic system-services all 
user@host# set host-inbound-traffic protocols all 
user@host# set interfaces gr-0/0/0.0 
user@host# set zones zone names protocols all 
user@host# set interfaces lo0.0
user@host# set interfaces st0.0
    content_copy zoom_out_map
    [edit security zones security-zones untrust]]
user@host# set host-inbound-traffic system-services all 
user@host# set host-inbound-traffic protocols all 
user@host# set interfaces gr-0/0/0.0.1 
user@host# set interfaces lo0.0
user@host# set interfaces st0.0

Results

In configuration mode, confirm your interface configuration by entering the show command. The configured interfaces are bound to a security zone at the [edit security] hierarchy level. Use the show zones command to view the zones, where the configured interfaces (gr-, st0.0, and lo0) are displayed. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Parameters for configuring the GRE interfaces:

content_copy zoom_out_map
user@host> show interfaces
ge-0/0/0 {
    unit 0 {
        family inet {
            address 10.10.11.1/24;
        }
    }
}

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 172.20.1.1;
            destination 172.20.1.2;
        }
        family inet {
            address 192.168.1.1/24;
        }
    }
}

lo0 {
    unit 0 {
        family inet {
            address 172.20.1.1/32;
        }
    }
}

st0 {
    unit 0 {
        family inet;
    }
}

[edit]
root@Juniper# show
routing-options {
    static {                           
        route 10.10.10.0/24 next-hop gr-0/0/0.0;
        route 172.20.1.2/32 next-hop st0.0;
    }
}

Parameters for configuring the GRE interfaces with security zones:

content_copy zoom_out_map
[edit security]
root@Juniper# show
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            gr-0/0/0.0;
            lo0.0;
            st0.0;
        }
    }
}

Verification

Verification of the IPsec Tunnel

Purpose

Verify that the IPsec tunnel is up.

Action

Run the commands show security ike security-associations and show security ipsec security-associations commands.

See Also

Example: Configuring a GRE Tunnel When the Tunnel Destination Is in a Routing Instance

Requirements

Overview

You can configure a GRE tunnel when the tunnel destination is in a default routing instance or non-default routing instance. Configuration of a GRE tunnel requires defining the tunnel source and the tunnel destination addresses. If the tunnel destination is in a routing instance, and there is more than one routing instance present, you need to specify the correct routing instance and also the routing table to be used to reach the configured tunnel destination address.

Note:

The tunnel destination address is by default considered to be reachable using the default routing table "inet.0".

Configuration

In this example, you can configure a GRE tunnel between the gr- interfaces on SRX Series Firewalls with two instances. The instances are when the tunnel destination is in a default routing instance and when the tunnel destination is in a non-default routing instance.

Configuring a GRE Tunnel When the Tunnel Destination Is in a Default Routing Instance

This example uses the default routing instance to reach the tunnel destination. Because of this, the routing table inet.0 is used by default.

Step-by-Step Procedure

  1. Specify the source and destination address of the tunnel.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces gr-0/0/0  unit 0 tunnel source 172.16.0.1 destination 10.10.1.2 
user@host# set interfaces gr-0/0/0  unit 0 family inet 192.168.100.1/30;

  2. Configure the ge- interface and lo0 interface with the family set as inet.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces ge-0/0/0 unit 0 family inet address 172.30.73.56/24
user@host# set interfaces lo0 unit 0 family inet address 172.16.0.1/32

  3. Configure the GRE tunnel interface for routing options as mentioned in the GRE configuration topic.

Configuring a GRE Tunnel When the Tunnel Destination Is in a Non-default Routing Instance

For a non-default routing instance, ensure that you have already configured the gr-0/0/0 interface.

Step-by-Step Procedure

  1. Configure the GRE tunnel with the gr-0/00 interface and family set as inet.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces gr-0/00 unit 0 family inet address

  2. Specify the source and destination address of the tunnel.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces gr-0/0/0  unit 0 tunnel source 172.16.0.1 tunnel destination 10.10.1.2 family inet 192.168.100.1/30;

  3. Configure the ge- interface and lo0 interface with the family set as inet.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces ge-0/0/0 unit 0 family inet address 172.30.73.56/24
user@host# set interfaces lo0 unit 0 family inet address 172.16.0.1/32

  4. Configure the routing instances used for the tunnel interface.

    content_copy zoom_out_map
    [edit routing-instances]
user@host# set routing-instances test instance-type virtual-router 
user@host# set routing-instances test routing-options static route 10.10.1.2/32 next-hop 172.30.73.57 
user@host# set routing-instances test interface ge-0/0/0.0

  5. Configure the routing-instance for GRE tunnel interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set interfaces gr-0/0/0 unit 0  tunnel routing-instance destination test

  6. Add the static route for tunnel destination.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set routing-options static route 10.10.1.2/32 next-table test.inet.0
    Note:

    When the SRX Series Firewall is in packet mode, you do not need to configure a static route to make the tunnel destination reachable from inet.0. However, you still need to specify the correct routing instance under the gr-0/0/0 interface.

Results

In configuration mode, confirm your configuration on the devices by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

When the tunnel destination is in a default routing instance:

content_copy zoom_out_map
interfaces {
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.16.0.1;
                destination 10.10.1.2;
            }
            family inet {
                address 192.168.100.1/30;
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.30.73.56/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.16.0.1/32;
            }
        }
    }
    ...
}
routing-options {
    static {
        route 10.10.1.2/32 next-hop 172.30.73.57;                   # Tunnel destination is reachable from default routing-instance
        ...
    }
}
routing-instances {
    test {
        instance-type virtual-router;
        interface gr-0/0/0.0;
        routing-options {
            ...
        }
    }
}

When the tunnel destination is in a non-default routing instance:

content_copy zoom_out_map
interfaces {
    gr-0/0/0 {
        unit 0 {
            tunnel {
                source 172.16.0.1;
                destination 10.10.1.2;
                routing-instance {
                    destination test;                               # Routing-instance to reach tunnel destination
                }
            }
            family inet {
                address 192.168.100.1/30;
            }
        }
    }
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 172.30.73.56/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 172.16.0.1/32;
            }
        }
    }
    ...
}

routing-options {
         static {
         route 10.10.1.2/32 next-table test.inet.0;                 # Tunnel destination is reachable via test.inet.0
     ...
     }
}

routing-instances {
     test {
         instance-type virtual-router;
         interface ge-0/0/0;
         routing-options {
             static {
                 route 10.10.1.2/32 next-hop 172.30.73.57;          # Tunnel destination is reachable from non-default routing-instance
                 ...
             }
         }
     }
}

Verification

Verification of Static Route Use

Purpose

Verify that the static route is used.

Action

Run the show route forwarding table command.

content_copy zoom_out_map
user@host> show route forwarding-table table test
No Title 
Routing table: test.inet
Internet:
Enabled protocols: Bridging, 
Destination        Type RtRef Next hop           Type Index    NhRef Netif
default            perm     0                    rjct      597     1
0.0.0.0/32         perm     0                    dscd      590     1
10.10.1.2/32       user     1 172.30.73.57       hold      598     4 ge-0/0/0.0
172.16.0.1.10.10.1.2.47/72
                   dest     0                    locl      617     1
172.30.73.0/24     intf     0                    rslv      588     1 ge-0/0/0.0
172.30.73.0/32     dest     0 172.30.73.0        recv      586     1 ge-0/0/0.0
172.30.73.56/32    intf     0 172.30.73.56       locl      587     2
172.30.73.56/32    dest     0 172.30.73.56       locl      587     2
172.30.73.57/32    dest     0 172.30.73.57       hold      598     4 ge-0/0/0.0
172.30.73.255/32   dest     0 172.30.73.255      bcst      585     1 ge-0/0/0.0
224.0.0.0/4        perm     0                    mdsc      596     1
224.0.0.1/32       perm     0 224.0.0.1          mcst      600     1
255.255.255.255/32 perm     0                    bcst      601     1

Verification of Static Route Used in Default Instance

Purpose

Verify that the static route is used for the default instance.

Action

Run the show route forwarding table command.

content_copy zoom_out_map
user@host> show route forwarding-table matching 10.10.1.2
Routing table: default.inet
Internet:
Enabled protocols: Bridging, 
Destination        Type RtRef Next hop           Type Index    NhRef Netif
10.10.1.2/32       user     0                    rtbl      604     3

See Also

Related Documentation

arrow_backward PREVIOUS Interface Encapsulation Overview
NEXT arrow_forward Configuring Point-to-Point Protocol over Ethernet
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top