Friday, 19 July 2013

SRX IPSec VPN - Multipoint with OSPF

In this post OSPF will be configured to dynamically exchange routes across the IPSec tunnels. This exercise builds off of the existing configuration steps completed in the previous post [SRX IPSec VPN - Multipoint] so make sure to review the previous IPSec posts.

The diagram below outlines the lab topology.




 Configure HUB
1. Remove Static Routes
In the previous blog post routing was accomplished via static route entries. The static routes will no longer be needed once OSPF is operational. The following screenshots outlines the current static routes configured, and also shows them being removed.



2. Configure OSPF
In this step OSPF is configured. The st0.0 interface is configured as point to multipoint (p2mp) and dynamic-neighbors ensures that the next-hop tunnel binding (NHTB) information is used in forming adjacencies. Interface lo0 is configured as passive, this means adjacencies will not be formed over this interfaces, but the network attached to this interface is advertised via OSPF.


3. Configure Host-Inbound-Traffic
OSPF communicates between SRX devices and will need to be permitted in host-inbound-traffic. In this step the OSPF protocol is allowed under the interface st0.0 in the security zone VPN.


 Configure BRANCH-A
1. Remove Static Routes
The following screenshots outlines the current static routes configured, and also shows them being removed.



2. Configure OSPF
In this step OSPF is configured. The St0.0 and lo0 interfaces are configured.


3. Configure Host-Inbound-Traffic
In this step the OSPF protocol is allowed under the interface st0.0 in the security zone VPN.


 Configure BRANCH-B
1. Remove Static Routes
The following screenshots outlines the current static routes configured, and also shows them being removed.



2. Configure OSPF
In this step OSPF is configured. The St0.0 and lo0 interfaces are configured.


3. Configure Host-Inbound-Traffic
In this step the OSPF protocol is allowed under the interface st0.0 in the security zone VPN.


 Verify OSPF & Routes
1. Verify Route Tables
The following screenshots outline that the 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24 are all learned by neighboring devices via OSPF. The next-hop interface of st0.0 is also outlined below.



2. Verify OSPF Neighbors
The following screenshots outline the OSPF adjacencies. As expected BRANCH-A and BRANCH-B have formed adjacencies with the HUB device over the IPSec tunnels (st0.0 interface). An interesting note here is that the ID or router-id is dynamically assigned. This can be configured to offer a deterministic ID (router-id).




 Conclusion
The OSPF configuration done in this example was simple and straight forward. Older configurations referenced OSPF configuration over GRE tunnels when configuring OSPF over IPSec environment. From what I could find this might have been a requirement in older versions of JunOS.

I did validate in testing that using the configuration above on Junos 10.3 the above configuration does NOT work. When adding GRE tunnels and applying the OSPF configuration to the GRE tunnel interfaces OSPF did work on 10.3. I don't know why anyone would be running JunOS 10.x on the SRX platform so I will not be posting the OSPF+GRE+IPSec config. I would be curious to hear from anyone who has run into this scenario.