Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Secure Tunnel Interface in a Virtual Router

A secure tunnel interface (st0) is an internal interface that is used by route-based VPNs to route cleartext traffic to an IPsec VPN tunnel.

Understanding Virtual Router Support for Route-Based VPNs

This feature includes routing-instance support for route-based VPNs. In previous releases, when an st0 interface was put in a nondefault routing instance, the VPN tunnels on this interface did not work properly. In the Junos OS 10.4 release, the support is enabled to place st0 interfaces in a routing instance, where each unit is configured in point-to-point mode or multipoint mode. Therefore, VPN traffic now works correctly in a nondefault VR. You can now configure different subunits of the st0 interface in different routing instances. The following functions are supported for nondefault routing instances:

  • Manual key management

  • Transit traffic

  • Self-traffic

  • VPN monitoring

  • Hub-and-spoke VPNs

  • Encapsulating Security Payload (ESP) protocol

  • Authentication Header (AH) protocol

  • Aggressive mode or main mode

  • st0 anchored on the loopback (lo0) interface

  • Maximum number of virtual routers (VRs) supported on an SRX Series Firewall

  • Applications such as Application Layer Gateway (ALG), Intrusion Detection and Prevention (IDP), and Content Security

  • Dead peer detection (DPD)

  • Chassis cluster active/backup

  • Open Shortest Path First (OSPF) over st0

  • Routing Information Protocol (RIP) over st0

  • Policy-based VPN inside VR

Understanding Virtual Router Limitations

When you configure VPN on SRX Series Firewalls, overlapping of IP addresses across virtual routers is supported with the following limitations:

  • An IKE external interface address cannot overlap with any other virtual router.

  • An internal or trust interface address can overlap across any other virtual router.

  • An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnels such as NHTB.

  • An st0 interface address can overlap in route-based VPN in point-to-point tunnels.

Example: Configuring an st0 Interface in a Virtual Router

This example shows how to configure an st0 interface in a virtual router.

Requirements

Before you begin, configure the interfaces and assign the interfaces to security zones. See "Security Zones Overview".

Overview

In this example, you perform the following operations:

  • Configure the interfaces.

  • Configure IKE Phase 1 proposals.

  • Configure IKE policies, and reference the proposals.

  • Configure an IKE gateway, and reference the policy.

  • Configure Phase 2 proposals.

  • Configure policies, and reference the proposals.

  • Configure AutoKey IKE, and reference the policy and gateway.

  • Configure the security policy.

  • Configure the routing instance.

  • Configure the VPN bind to tunnel interface.

  • Configure the routing options.

Figure 1 shows the topology used in this example.

Figure 1: Secure Tunnel Interface in a Virtual Router

Following tables show the configuration parameters.

Table 1: Interface, Routing Instance, Static Route, and Security Zone Information for SRX1

Feature

Name

Configuration Parameters

Interfaces

ge-0/0/0.0

10.1.1.2/30

 

ge-0/0/1.0

10.2.2.2/30

 

st0.0 (tunnel interface)

10.3.3.2/30

Routing instance (Virtual Router)

VR1

ge-0/0/1.0

st0.0

Static routes

10.6.6.0/24

The next hop is st0.0.

Security zones

trust

  • The ge-0/0/1 interface is bound to this zone.

 

untrust

  • The ge-0/0/0 interface is bound to this zone.

  • The st0.0 interface is bound to this zone.

Table 2: IKE Configuration Parameters

Feature

Name

Configuration Parameters

Proposal

first_ikeprop

  • Authentication method: pre-shared-keys

Policy

first_ikepol

  • Mode: main

  • Proposal reference: first_ikeprop

  • IKE policy authentication method: pre-shared-keys

Gateway

first

  • IKE policy reference: first_ikepol

  • External interface: ge-0/0/0.0

  • Gateway address: 10.4.4.2

Table 3: IPsec Configuration Parameters

Feature

Name

Configuration Parameters

Proposal

first_ipsecprop

  • protocol: esp

  • authentication-algorithm: hmac-md5-96

  • encryption-algorithm: 3des-cbc

Policy

first_ipsecpol

  • IPsec proposal reference: first_ipsecprop

VPN

first_vpn

  • IKE gateway reference: first

  • IPsec policy reference: first_ipsecpol

  • Bind to interface: st0.0

  • establish-tunnels immediately

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an st0 in a VR:

  1. Configure the interfaces.

  2. Configure security zones.

  3. Configure Phase 1 of the IPsec tunnel.

  4. Configure the IKE policies, and reference the proposals.

  5. Configure the IKE gateway, and reference the policy.

  6. Configure Phase 2 of the IPsec tunnel.

  7. Configure the policies, and reference the proposals.

  8. Configure AutoKey IKE, and reference the policy and gateway.

  9. Configure the VPN bind to tunnel interface.

  10. Configure the security policy.

  11. Configure the st0 in the routing instance.

  12. Configure the routing options.

Results

From configuration mode, confirm your configuration by entering the show security and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying an st0 interface in the Virtual Router

Purpose

Verify the st0 interface in the virtual router.

Action

From operational mode, enter the show interfaces st0.0 detail command. The number listed for routing table corresponds to the order that the routing tables in the show route all command.