Configurations on Juniper SRX

Describes how to configure GRE tunnels on Juniper SRX device.

Steps

  1. Use the following commands to configure tunnels to the primary and secondary data centers. 
    set interfaces gr-0/0/0 unit 0 description primary
set interfaces gr-0/0/0 unit 0 tunnel source <public_egress_ip>
set interfaces gr-0/0/0 unit 0 tunnel destination <primary_destination_address>
set interfaces gr-0/0/0 unit 0 family inet address <unused_internal_address_1>/30
set interfaces gr-0/0/0 unit 1 description backup
set interfaces gr-0/0/0 unit 1 tunnel source <public_egress_ip>
set interfaces gr-0/0/0 unit 1 tunnel destination <secondary_destination_address>
set interfaces gr-0/0/0 unit 1 family inet address <unused_internal_address_2>/30

    You can use the following show command to view the details of the configured interface.

    show interfaces gr-0/0/0
unit 0 {
description primary;
tunnel {
source <public_egress_ip>;
destination <primary_destination_address>;
}
family inet {
address <unused_internal_address_1>/30;
}
}
unit 1 {
description backup;
tunnel {
source <public_egress_ip>;
destination <secondary_destination_address>;
}
family inet {
address <unused_internal_address_2>/30;
}
}
  2. Configure a routing instance to route http and https traffic only through the GRE tunnel: 
    set routing-instances <routing instance name> instance-type forwarding
set routing-instances <routing instance name> routing-options static route 0.0.0.0/0 next-hop gr-0/0/0.0

    You can use the following show command to view the details of the routing instances.

    show routing-instances
<routing instance name> {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
next-hop gr-0/0/0.0;
}
}
}
  3. Configure the routing options. Use the following commands to add the inet.0 routes to the routing table of the GRE tunnel routing instance: 
    set routing-options interface-routes rib-group inet <rib group name>
set routing-options static route 0.0.0.0/0 next-hop <default_gateway_ip>
set routing-options rib-groups <rib group name> import-rib inet.0
set routing-options rib-groups <rib group name> import-rib <routing instance name>.inet.0

    You can use the following show command to view the details of the routing options.

    show routing-options
interface-routes {
rib-group inet <rib group name>;
}
static {
route 0.0.0.0/0 next-hop <default_gateway_ip>;
}
rib-groups {
<rib group name> {
import-rib [ inet.0 <routing instance name>.inet.0 ];
}
}
  4. Configure a Firewall policy to route http and https traffic only through the GRE tunnel: 
    set firewall family inet filter <firewall inet filter name> term <term name 1> from source-address <client_subnet>/24
set set firewall family inet filter <firewall inet filter name> term <term name 1> then routing-instance <routing instance name>
set firewall family inet filter <firewall inet filter name> term <term name 1> from destination-port 80
set firewall family inet filter <firewall inet filter name> term <term name 1> from destination-port 443
  5. Attach the firewall policy to the incoming interface: 
    set interfaces <incoming_interface> unit 0 family inet filter input <firewall inet filter name>
set interfaces <incoming_interface> unit 0 family inet address <client_subnet>

    You can use the following show command to view the details of the incoming interface.

    show <incoming_interface> {
unit 0 {
family inet {
filter {
input <firewall inet filter name>;
}
address <client_subnet>;
}
}
}
  6. Configure security zones: 
    set security zones security-zone <zone_name> host-inbound-traffic system-services all
set security zones security-zone <zone_name> host-inbound-traffic protocols all
set security zones security-zone <zone_name> interfaces <outgoing_interface>
set security zones security-zone <zone_name> interfaces gr-0/0/0.0
set security zones security-zone <zone_name> interfaces gr-0/0/0.1

    You can use the following show command to view the details of the security zones.

    show security zones
security-zone <zone_name> {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
<outgoing_interface>;
fe-0/0/5.0;
gr-0/0/0.0;
gr-0/0/0.1;
}
}
  7. Configure the tunnel failover. Use the following commands to create two ICMP based probes to monitor the GRE tunnels' endpoints at the Forcepoint ONE SSE cloud: 
    set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel probe-type icmp-ping
set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel target address 116.50.59.230
set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel probe-count 5
set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel probe-interval 2
set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel test-interval 2
set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel thresholds successive-loss 3
set services rpm probe ping_primary_DC_monitoring_IP test primary_tunnel thresholds total-loss 3

set services rpm probe ping_primary_DC_monitoring_IP  test primary_tunnel  next-hop 192.160.1.2

set services ip-monitoring policy failover match rpm-probe ping_primary_DC_monitoring_IP

set services ip-monitoring policy failover then preferred-route routing-instances <routing instance name> route 0.0.0.0/0 next-hop <dummy_secondary_next_hop_ip_address>

    You can use the following show command to view the details for tunnel failover.

    show services
rpm {
probe ping_primary_DC_monitoring_IP {
test primary_tunnel {
probe-type icmp-ping;
target address 116.50.59.230;
probe-count 5;
probe-interval 2;
test-interval 2;
thresholds {
successive-loss 3;
total-loss 3;
}

next-hop 192.160.1.2
}
}

ip-monitoring { 

policy failover {
match {
rpm-probe ping_primary_DC_monitoring_IP;
}

then {
preferred-route {
routing-instances <routing instance name> {
route 0.0.0.0/0 {
next-hop <dummy_secondary_next_hop_ip_address>;
}
}
}
}
}
}