Juniper IPsec VPN with two subnets on the far side

By on November 5, 2012 - Geekery Tags: ,

I just worked my way through how to route two different subnets to the far side of a single IPsec tunnel on a Juniper SRX unit. This configuration but isn’t clearly documented anywhere on Juniper’s website, so I’m sharing it here.

Say you have a VPN to a remote site like so:

security ipsec:
vpn Office2 {
  bind-interface st0.1;
  ike {
    gateway Office2-gw;
    proxy-identity {
      local 192.168.1.0/24;
      remote 192.168.2.0/24;
      service any;
    }
    ipsec-policy Office2-ipsec;
  }
  establish-tunnels immediately;
}

routing-options:
static {
  route 192.168.2.0/24 next-hop st0.1;
}

We are skipping the IKE and proposals setup here, but we assume you know how to do this and it is extensively well documented if you don’t. But let’s say the site calls you up and also wants to route 172.16.0.0/16 to their site. You could do this by creating a whole ‘nother tunnel with every element duplicated except the destination block. Or you can do something like the following, which re-uses most of your configuration and only duplicates the ipsec phase2 security associations:

security ipsec:
vpn Office2 {
  bind-interface st0.1;
  ike {
    gateway Office2-gw;
    proxy-identity {
      local 192.168.1.0/24;
      remote 192.168.2.0/24;
      service any;
    }
    ipsec-policy Office2-ipsec;
  }
  establish-tunnels immediately;
}
vpn Office2-172block {
  bind-interface st0.1;
  ike {
    gateway Office2-gw;
    proxy-identity {
      local 192.168.1.0/24;
      remote 172.16.0.0/16;
      service any;
    }
    ipsec-policy Office2-ipsec;
  }
  establish-tunnels immediately;
}

interfaces st0:
unit 1 {
  multipoint;
  family inet {
    address 192.168.255.1/24;
    next-hop-tunnel 192.168.255.2 ipsec-vpn Office2;
    next-hop-tunnel 192.168.255.3 ipsec-vpn Office2-172block;
  }
}

routing-options:
static {
  route 192.168.2.0/24 next-hop 192.168.255.2;
  route 172.16.0.0/16 next-hop 192.168.255.3;
}

This configuration works by routing the traffic using the assigned next-hop IP address to the correct IPsec security association. One thing that may surprise you: You do not share the 192.168.255 ip addresses with the far side. These IP addresses are not actually used during the VPN negotiation, but are just used for internal routing so that traffic is routed across the correct security association.

2 Responses to “Juniper IPsec VPN with two subnets on the far side”

  1. jguillerm says:
    February 2, 2016 at 10:15 am

    Interesting option that you presented above : generally, I duplicated not only the section you described above but also the st0.x interface (creating 1 st0.x for each remote subnet); so, your way is simpler ;

    But, now, in my new case, I have several individual source IPs and destination IPs that cannot be summarized in a valid subnet; so, this would force me to code several times the section you duplicate, and not just only 1, 2 or 3 times ;

    after reading this entry : http://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=RSS

    I was wondering whether it would not be OK not to code proxy-identity local and remote at all so that they default to 0.0.0.0 as written ;
    since there are static route defined to reach the remote IPs via the VPN st0.x interface, the flow would be encrypted into the right tunnel

    Well, I still have some doubt that 0.0.0.0 proxys would be accepted by the other side : here is my rationale that tends to explain it could work :
    As mentionned in the above URL :
    “Proxy IDs are a validated item during VPN tunnel establishment with the proxy IDs of the VPN peers needing to be an inverse match of each other”

    but, by experience, I have noticed that, even, if there is not an exact inverse match of each other,VPN can work as far as the proxy IDs on 1 side is a superset of the proxy IDs defined on the other side

    In my case, the other side is an IOS router that will use Policy-based VPN, so a crypto-map ACL is mandatory and the Source/Dest addresses fields of this ACL automatically become the local/remote proxy entities send by the IOS during the VPN phase 2 negociation

    With my Juniper side proxies being defaulted to 0.0.0.0, it might work since it is a superset of any IPs range …

    This is just an assumption for now

    If you have an idea, please let me know
    thanks in advance

    • jorhett says:
      February 2, 2016 at 10:38 am

      I don’t know if the overlap works, but if both sides agree to set proxy-id to 0.0.0.0 then you can send any number of routes as shown in the example you linked to. I was working with a remote unit that couldn’t (or the team wouldn’t) support that, and my attempts to use 0.0.0.0 were rejected during Phase 2 setup.

Leave a Reply

You must be logged in to post a comment.