Hi, I'm using routing-instances and filter-based forwarding in order to emulate policy-based VPN while actually using route-based VPNs on a SRX cluster (I cannot use actual policy-based VPN due to the limitations described in KB21363 and KB23082). I'm using a commit script to build the necessary config like so (repeated for every possible srcnet/dstnet combination for each IKE gateway): interfaces { st0 { unit 0 { description "vpn=acme-0, local=192.168.1.1/32, remote=100.64.0.0/24"; family inet; } [...] } } security { ipsec { vpn acme-0 { bind-interface st0.0; ike { gateway acme; proxy-identity { local 192.168.1.1/32; remote 100.64.0.0/24; } ipsec-policy acme; } } [...] } } firewall { family inet { filter vpn-policyrouting { term acme-0 { from { source-address { 192.168.1.1/32; } destination-address { 100.64.0.0/24; } } then { routing-instance acme-0; } } [...] } } } routing-instances { acme-0 { instance-type forwarding; routing-options { static { route 100.64.0.0/24 next-hop st0.0; } } } [...] } I found that this does not actually work, as acme-0.inet.0 ends up containing no routes (not even hidden routes). However, if I import the interface-routes RIB into that routing table, it works: routing-options { interface-routes { rib-group inet interface-rib; } rib-groups { interface-rib { import-rib [ inet.0 acme-0.inet.0 [...] ] import-policy interface-rib-import; } } } policy-options { policy-statement interface-rib-import { term inet.0 { to rib inet.0; then accept; } term fallthrough { then { reject; } } } }
What I can't wrap my head around here is that even though my import-policy seems to me to prevent anything from being imported into acme-0.inet.0 at all (and I can see that it does prevent other link routes from being imported), the above config is *not* equivalent to simply deleting "import-rib acme-0.inet.0" from under [edit routing-options rib-groups interface-rib]. Does anyone understand why? Best regards, -- Tore Anderson Redpill Linpro AS - http://www.redpill-linpro.com _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp