Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS IPsec VPN User Guide Route Based VPN

IPsec VPN User Guide

keyboard_arrow_up
close
keyboard_arrow_left
IPsec VPN User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Secure Tunnel Interface in a Virtual Router

date_range 30-Nov-23
arrow_backward
arrow_forward

A secure tunnel interface (st0) is an internal interface that is used by route-based VPNs to route cleartext traffic to an IPsec VPN tunnel.

Understanding Virtual Router Support for Route-Based VPNs

This feature includes routing-instance support for route-based VPNs. In previous releases, when an st0 interface was put in a nondefault routing instance, the VPN tunnels on this interface did not work properly. In the Junos OS 10.4 release, the support is enabled to place st0 interfaces in a routing instance, where each unit is configured in point-to-point mode or multipoint mode. Therefore, VPN traffic now works correctly in a nondefault VR. You can now configure different subunits of the st0 interface in different routing instances. The following functions are supported for nondefault routing instances:

  • Manual key management

  • Transit traffic

  • Self-traffic

  • VPN monitoring

  • Hub-and-spoke VPNs

  • Encapsulating Security Payload (ESP) protocol

  • Authentication Header (AH) protocol

  • Aggressive mode or main mode

  • st0 anchored on the loopback (lo0) interface

  • Maximum number of virtual routers (VRs) supported on an SRX Series Firewall

  • Applications such as Application Layer Gateway (ALG), Intrusion Detection and Prevention (IDP), and Content Security

  • Dead peer detection (DPD)

  • Chassis cluster active/backup

  • Open Shortest Path First (OSPF) over st0

  • Routing Information Protocol (RIP) over st0

  • Policy-based VPN inside VR

Understanding Virtual Router Limitations

When you configure VPN on SRX Series Firewalls, overlapping of IP addresses across virtual routers is supported with the following limitations:

  • An IKE external interface address cannot overlap with any other virtual router.

  • An internal or trust interface address can overlap across any other virtual router.

  • An st0 interface address cannot overlap in route-based VPN in point-to-multipoint tunnels such as NHTB.

  • An st0 interface address can overlap in route-based VPN in point-to-point tunnels.

See Also

Example: Configuring an st0 Interface in a Virtual Router

This example shows how to configure an st0 interface in a virtual router.

Requirements

Before you begin, configure the interfaces and assign the interfaces to security zones. See "Security Zones Overview".

Overview

In this example, you perform the following operations:

  • Configure the interfaces.

  • Configure IKE Phase 1 proposals.

  • Configure IKE policies, and reference the proposals.

  • Configure an IKE gateway, and reference the policy.

  • Configure Phase 2 proposals.

  • Configure policies, and reference the proposals.

  • Configure AutoKey IKE, and reference the policy and gateway.

  • Configure the security policy.

  • Configure the routing instance.

  • Configure the VPN bind to tunnel interface.

  • Configure the routing options.

Figure 1 shows the topology used in this example.

Figure 1: Secure Tunnel Interface in a Virtual Router

Following tables show the configuration parameters.

Table 1: Interface, Routing Instance, Static Route, and Security Zone Information for SRX1

Feature

Name

Configuration Parameters

Interfaces

ge-0/0/0.0

10.1.1.2/30

 

ge-0/0/1.0

10.2.2.2/30

 

st0.0 (tunnel interface)

10.3.3.2/30

Routing instance (Virtual Router)

VR1

ge-0/0/1.0

st0.0

Static routes

10.6.6.0/24

The next hop is st0.0.

Security zones

trust

  • The ge-0/0/1 interface is bound to this zone.

 

untrust

  • The ge-0/0/0 interface is bound to this zone.

  • The st0.0 interface is bound to this zone.

Table 2: IKE Configuration Parameters

Feature

Name

Configuration Parameters

Proposal

first_ikeprop

  • Authentication method: pre-shared-keys

Policy

first_ikepol

  • Mode: main

  • Proposal reference: first_ikeprop

  • IKE policy authentication method: pre-shared-keys

Gateway

first

  • IKE policy reference: first_ikepol

  • External interface: ge-0/0/0.0

  • Gateway address: 10.4.4.2

Table 3: IPsec Configuration Parameters

Feature

Name

Configuration Parameters

Proposal

first_ipsecprop

  • protocol: esp

  • authentication-algorithm: hmac-md5-96

  • encryption-algorithm: 3des-cbc

Policy

first_ipsecpol

  • IPsec proposal reference: first_ipsecprop

VPN

first_vpn

  • IKE gateway reference: first

  • IPsec policy reference: first_ipsecpol

  • Bind to interface: st0.0

  • establish-tunnels immediately

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/30
set interfaces ge-0/0/1 unit 0 family inet address 10.2.2.2/30
set interfaces st0 unit 0 family inet address 10.3.3.2/30
set security zones security-zone trust interfaces ge-0/0/1
set security zones security-zone untrust interfaces ge-0/0/0
set security zones security-zone untrust interfaces st0.0
set security ike proposal first_ikeprop authentication-method pre-shared-keys 
set security ike proposal first_ikeprop dh-group group2 
set security ike proposal first_ikeprop authentication-algorithm md5
set security ike proposal first_ikeprop encryption-algorithm 3des-cbc
set security ike policy first_ikepol mode main
set security ike policy first_ikepol proposals first_ikeprop
set security ike policy first_ikepol pre-shared-key ascii-text "$ABC123"
set security ike gateway first ike-policy first_ikepol
set security ike gateway first address 10.4.4.2
set security ike gateway first external-interface ge-0/0/0.0
set security ipsec proposal first_ipsecprop protocol esp
set security ipsec proposal first_ipsecprop authentication-algorithm hmac-md5-96
set security ipsec proposal first_ipsecprop encryption-algorithm 3des-cbc
set security ipsec policy first_ipsecpol perfect-forward-secrecy keys group1
set security ipsec policy first_ipsecpol proposals first_ipsecprop
set security ipsec vpn first_vpn bind-interface st0.0
set security ipsec vpn first_vpn ike gateway first
set security ipsec vpn first_vpn ike ipsec-policy first_ipsecpol
set security ipsec vpn first_vpn establish-tunnels immediately  
set security policies from-zone trust to-zone untrust policy p1 match source-address any
set security policies from-zone trust to-zone untrust policy p1 match destination-address any
set security policies from-zone trust to-zone untrust policy p1 match application any
set security policies from-zone trust to-zone untrust policy p1 then permit
set security policies from-zone untrust to-zone trust policy p2 match source-address any
set security policies from-zone untrust to-zone trust policy p2 match destination-address any
set security policies from-zone untrust to-zone trust policy p2 match application any
set security policies from-zone untrust to-zone trust policy p2 then permit
set routing-instances VR1 instance-type virtual-router
set routing-instances VR1 interface ge-0/0/1.0
set routing-instances VR1 interface st0.0  
set routing-instances VR1 routing-options static route 10.6.6.0/24 next-hop st0.0
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an st0 in a VR:

  1. Configure the interfaces.

    content_copy zoom_out_map
    [edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/30
user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.2.2.2/30
user@host# set interfaces st0 unit 0 family inet address 10.3.3.2/30

  2. Configure security zones.

    content_copy zoom_out_map
    [edit]
user@host# set security zones security-zone trust interfaces ge-0/0/1
user@host# set security zones security-zone untrust interfaces ge-0/0/0
user@host# set security zones security-zone untrust interfaces st0.0

  3. Configure Phase 1 of the IPsec tunnel.

    content_copy zoom_out_map
    [edit security ike]
user@host# set proposal first_ikeprop authentication-method pre-shared-keys
user@host# set proposal first_ikeprop dh-group group2
user@host# set proposal first_ikeprop authentication-algorithm md5
user@host# set proposal first_ikeprop encryption-algorithm 3des-cbc

  4. Configure the IKE policies, and reference the proposals.

    content_copy zoom_out_map
    [edit security ike]
user@host# set policy first_ikepol mode main
user@host# set policy first_ikepol proposals first_ikeprop
user@host# set policy first_ikepol pre-shared-key ascii-text "$ABC123"

  5. Configure the IKE gateway, and reference the policy.

    content_copy zoom_out_map
    [edit security ike]
user@host# set gateway first ike-policy first_ikepol
user@host# set gateway first address 10.4.4.2
user@host# set gateway first external-interface ge-0/0/0.0

  6. Configure Phase 2 of the IPsec tunnel.

    content_copy zoom_out_map
    [edit security ipsec]
user@host# set proposal first_ipsecprop protocol esp
user@host# set proposal first_ipsecprop authentication-algorithm hmac-md5-96
user@host# set proposal first_ipsecprop encryption-algorithm 3des-cbc

  7. Configure the policies, and reference the proposals.

    content_copy zoom_out_map
    [edit security ipsec]
user@host# set policy first_ipsecpol perfect-forward-secrecy keys group1
user@host# set policy first_ipsecpol proposals first_ipsecprop

  8. Configure AutoKey IKE, and reference the policy and gateway.

    content_copy zoom_out_map
    [edit security ipsec]
user@host# set vpn first_vpn ike gateway first
user@host# set vpn first_vpn ike ipsec-policy first_ipsecpol
user@host# set vpn first_vpn establish-tunnels immediately

  9. Configure the VPN bind to tunnel interface.

    content_copy zoom_out_map
    [edit security ipsec]
user@host# set vpn first_vpn bind-interface st0.0

  10. Configure the security policy.

    content_copy zoom_out_map
    [edit security policies]
user@host# set from-zone trust to-zone untrust policy p1 match source-address any
user@host# set from-zone trust to-zone untrust policy p1 match destination-address any
user@host# set from-zone trust to-zone untrust policy p1 match application any
user@host# set from-zone trust to-zone untrust policy p1 then permit
user@host# set from-zone untrust to-zone trust policy p2 match source-address any
user@host# set from-zone untrust to-zone trust policy p2 match destination-address any
user@host# set from-zone untrust to-zone trust policy p2 match application any
user@host# set from-zone untrust to-zone trust policy p2 then permit

  11. Configure the st0 in the routing instance.

    content_copy zoom_out_map
    [edit routing-instances]
user@host# set VR1 instance-type virtual-router
user@host# set VR1 interface ge-0/0/1.0
user@host# set VR1 interface st0.0

  12. Configure the routing options.

    content_copy zoom_out_map
    [edit routing-instances VR1 routing-options]
user@host# set static route 10.6.6.0/24 next-hop st0.0
Results

From configuration mode, confirm your configuration by entering the show security and show routing-instances commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host# show security
    ike {
    proposal first_ikeprop {
        authentication-method pre-shared-keys;
        dh-group group2;
        authentication-algorithm md5;
        encryption-algorithm 3des-cbc;
    }
    policy first_ikepol {
        mode main;
        proposals first_ikeprop;
        pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
    }
    gateway first {
        ike-policy first_ikepol;
        address 10.4.4.2;
        external-interface ge-0/0/0.0;
    }
}
    ipsec {
        proposal first_ipsecprop {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
        }
        policy first_ipsecpol {
            perfect-forward-secrecy {
                keys group1;
            }
            proposals first_ipsecprop;
        }
        vpn first_vpn {
            bind-interface st0.0;
            ike {
                gateway first;
                ipsec-policy first_ipsecpol;
            }
            establish-tunnels immediately;
        }
    }
policies {
    from-zone trust to-zone untrust {
        policy p1 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
        from-zone untrust to-zone trust {
            policy p2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
zones {
    security-zone trust {
        interfaces {
            ge-0/0/1.0;
        }
    }
    security-zone untrust {
        interfaces {
            ge-0/0/0.0;
            st0.0;
        }
    }
}
    
user@host# show routing-instances
        VR1 {
            instance-type virtual-router;
            interface ge-0/0/1.0;
            interface st0.0; 
            routing-options {
            static {
            route 10.6.6.0/24 next-hop st0.0;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying an st0 interface in the Virtual Router

Purpose

Verify the st0 interface in the virtual router.

Action

From operational mode, enter the show interfaces st0.0 detail command. The number listed for routing table corresponds to the order that the routing tables in the show route all command.

See Also

Related Documentation

arrow_backward PREVIOUS Route-Based VPN with IKEv2
NEXT arrow_forward Dual Stack Tunnels over an External Interface
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top