Juniper SRX

The following GRE configuration example is for Juniper SRX version 12.1 R2 and higher.

Use the following commands to configure tunnels to the primary and secondary point of presence.

show interfaces gr-0/0/0 unit 0 {
description primary; tunnel {
source <device_egress_ip>; destination <primary_dc_public_ip>;
}
family inet {
address <primary_local_inner_ip>/30;
}
}
unit 1 { description backup; tunnel {
source <device_egress_ip>; destination <secondary_dc_public_ip>;
}
family inet {
address <secondary_local_inner_ip>/30;
}
}
set interfaces gr-0/0/0 unit 0 description primary set interfaces gr-0/0/0 unit 0 tunnel source
<device_egress_ip>
set interfaces gr-0/0/0 unit 0 tunnel destination
<primary_dc_public_ip>
set interfaces gr-0/0/0 unit 0 family inet address
<primary_local_inner_ip>/30
set interfaces gr-0/0/0 unit 1 description backup set interfaces gr-0/0/0 unit 1 tunnel source
<device_egress_ip>
set interfaces gr-0/0/0 unit 1 tunnel destination
<secondary_dc_public_ip>
set interfaces gr-0/0/0 unit 1 family inet address
<secondary_local_inner_ip>/30

Configure routing instances:

show routing-instances route_to_gre_1 {
instance-type forwarding; routing-options {
static {
route 0.0.0.0/0 { next-hop gr-0/0/0.0;
qualified-next-hop gr-0/0/0.1 { preference 10;
}
}
}
}
set routing-instances route_TO_GRE_1 instance-type forwarding
set routing-instances route_to_gre_1 instance-type forwarding
set routing-instances route_to_gre_1 routing-options static route 0.0.0.0/0 next-hop gr-0/0/0.0
set routing-instances route_to_gre_1 routing-options static route 0.0.0.0/0 qualified-next-hop gr-0/0/0.1 preference 10

Configure routing options:

show routing-options interface-routes {
rib-group inet route_t0_gre_1;
}
static {
route 0.0.0.0/0 next-hop <gateway_ip>;
}
rib-groups { route_t0_gre_1 {
import-rib [ inet.0 route_to_gre_1.inet.0 ];
}
}
set routing-options interface-routes rib-group inet route_t0_gre_1
set routing-options static route 0.0.0.0/0 next-hop
<gateway_ip>
set routing-options rib-groups route_t0_gre_1 import-rib inet.0
set routing-options rib-groups route_t0_gre_1 import-rib route_to_gre_1.inet.0

Firewall policy configuration:

show firewall
filter TO_GRE_1 { term 0 {
from {
source-address {
<client_subnet>/24;
}
destination-port [ 80 443 ];
}
then { log;
routing-instance route_to_gre_1;
}
}
term 1 { then { log; accept;
}
}
}
set firewall family inet filter TO_GRE_1 term 0 from source- address <client_subnet>/24
set firewall family inet filter TO_GRE_1 term 0 from destination-port 80
set firewall family inet filter TO_GRE_1 term 0 from destination-port 443
set firewall family inet filter TO_GRE_1 term 0 then log
set firewall family inet filter TO_GRE_1 term 0 then routing-instance route_to_gre_1
set firewall family inet filter TO_GRE_1 term 1 then log set firewall family inet filter TO_GRE_1 term 1 then accept

Attach the firewall policy to the incoming interface:

<incoming_interface_name> {
unit 0 { family inet { filter {
input TO_GRE_1;
}
address <client_subnet>/24;
}
}
}
set interfaces <incoming_interface> unit 0 family inet filter input TO_GRE_1
set interfaces <incoming_interface> unit 0 family inet address <client_subnet>/24

Security zone configuration:

show security zones
security-zone gre { host-inbound-traffic { system-services {
all;
}
protocols { all;
}
}
interfaces {
<egress_interface_name>; gr-0/0/0.0;
gr-0/0/0.1;
}
}
set security zones security-zone gre host-inbound-traffic system-services all
set security zones security-zone gre host-inbound-traffic protocols all
set security zones security-zone gre interfaces
<egress_interface_name>
set security zones security-zone gre interfaces gr-0/0/0.0 set security zones security-zone gre interfaces gr-0/0/0.1

Tunnel failover configuration:

show services 
rpm {
probe ping_primary_DC_IP 
{ test primary_tunnel { 
probe-type icmp-ping;
target address <primary_dc_public_ip>; 
probe-count 5;
probe-interval 2;
test-interval 2; 
thresholds { 
successive-loss 5;
total-loss 5;
}
}
}
}
ip-monitoring {
policy failover { match {
rpm-probe ping_primary_DC_IP;
}
then {
interface gr-0/0/0.1 { enable;
}
interface gr-0/0/0.0 { disable;
}
}
}
}
set services rpm probe ping_primary_DC_IP test 
primary_tunnel probe-type icmp-ping
set services rpm probe ping_primary_DC_IP test 
primary_tunnel target address <primary_dc_public_ip>
set services rpm probe ping_primary_DC_IP test 
primary_tunnel probe-count 5
set services rpm probe ping_primary_DC_IP test 
primary_tunnel probe-interval 2
set services rpm probe ping_primary_DC_IP test 
primary_tunnel test-interval 2
set services rpm probe ping_primary_DC_IP test 
primary_tunnel thresholds successive-loss 5
set services rpm probe ping_primary_DC_IP test 
primary_tunnel thresholds total-loss 5
set services ip-monitoring policy failover match rpm-probe 
ping_primary_DC_IP
set services ip-monitoring policy failover then interface 
gr-0/0/0.1 enable
set services ip-monitoring policy failover then interface 
gr-0/0/0.0 disable