Juniper SRX To Linux GRE Tunnel
Juniper SRX To Linux GRE Tunnel
Of course, it’s a little bit time consuming to think how to create a GRE Tunnel in Juniper SRX to RedHat Enterprise Linux Server (RHEL 5.x) to me. However spending some time, I’ve been able to create a Juniper SRX to Linux GRE Tunnel just like in Cisco to Linux . I’ve posted the configuration steps on below for both Junos in SRX and Linux.
Network Scenario
I’ve used RHEL 5.x installed in ESXi Virtual Machine and Juniper SRX210 with Junos11.4. The SRX210 is router as well as Firewall/VPN box. Network IP 192.168.5.0/24 is here assumed as public internet IP address.
Juniper SRX Configuration
The SRX with Junos 11.4 is configured as below step by step.
1. Configure the interface fe-0/0/2 which is assumed as interface facing internet and loopback interface lo0. Loopback interface is configured for remote network.
| root@SRX#set interfaces fe-0/0/2 unit 0 family inet address 192.168.5.55/24 root@SRX#set interfaces lo0 unit 0 family inet address 192.168.200.1/24 |
2. Configure gre tunnel with its own IP address, source IP and destination Ip address.
| root@SRX#set interfaces gr-0/0/0 unit 0 tunnel source 192.168.5.55 root@SRX#set interfaces gr-0/0/0 unit 0 tunnel destination 192.168.5.167 root@SRX#set interfaces gr-0/0/0 unit 0 family inet mtu 1380 root@SRX#set interfaces gr-0/0/0 unit 0 family inet address 10.10.10.2/30 |
3. Configure zone “trust” to assign all interfaces in same zone with all system services all protocols.
| root@SRX#set security zones security-zone trust host-inbound-traffic system-services all root@SRX#set security zones security-zone trust host-inbound-traffic protocols all root@SRX#set set security zones security-zone trust interfaces fe-0/0/2.0 root@SRX#set security zones security-zone trust interfaces gr-0/0/0.0 root@SRX#set security zones security-zone trust interfaces lo0.0 |
4. Configure policy to pass traffic to and from trust to trust zone.
| root@SRX#set security policies from-zone trust to-zone trust policy TTT match source-address any root@SRX#set security policies from-zone trust to-zone trust policy TTT match destination-address any root@SRX#set security policies from-zone trust to-zone trust policy TTT match application any root@SRX#set security policies from-zone trust to-zone trust policy TTT then permit |
5. Configure route for remote network which is specified in linux server as loopback interface IP address.
| user@SRX#set routing-options static route 192.168.150.0/24 next-hop gr-0/0/0.0 |
Linux server configuration
1. Eth0 is configured with IP address 192.168.5.167/24 and loopback interface (lo) is configured 192.168.150.1/24
| Configure the Interface eth0 and loopback (lo) interface [root@localhost ~]# #ifconfig eth0 192.168.5.167 netmask 255.255.255.0 up [root@localhost ~]# #ifconfig lo 192.168.150.1 netmask 255.255.255.0 up Verifying the all active Interface status. Note that the GRETUN0 appears only after adding the corresponding configuration. [root@localhost ~]# ifconfig eth0 Link encap:Ethernet HWaddr00:0C:29:2C:3E:0C inet addr:192.168.5.167 Bcast:192.168.5.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe2c:3e0c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:12576 errors:0 dropped:0 overruns:0 frame:0 TX packets:11645 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:993702 (970.4 KiB) TX bytes:1173137 (1.1 MiB) Interrupt:59 Base address:0x2000 GRETUN0 Link encap:UNSPEC HWaddr C0-A8-05-A7-E4-BF-68-3E-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1380 Metric:1 RX packets:106 errors:0 dropped:0 overruns:0 frame:0 TX packets:412 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:8904 (8.6 KiB) TX bytes:44496 (43.4 KiB) lo Link encap:Local Loopback inet addr:192.168.150.1 Mask:255.255.255.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1763 errors:0 dropped:0 overruns:0 frame:0 TX packets:1763 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4231462 (4.0 MiB) TX bytes:4231462 (4.0 MiB) |
2. GRE tunnel is configured with Ip address 10.10.10.1/30 and local address 192.168.5.167 & destination address 192.168.5.55.
| Firstly, to add the Config go to /etc/rc.local as; [root@localhost ~]# vi /etc/rc.local Now add the GRE tunnel Config as; modprobe ip_gre ip tunnel add GRETUN0 mode gre remote 192.168.5.55 local 192.168.5.167 ip link ls dev GRETUN0 ip link set GRETUN0 up ip link ls dev GRETUN0 ip addr add 10.10.10.1/30 dev GRETUN0 ip addr ls dev GRETUN0 ifconfig GRETUN0 mtu 1380 Modeprobe runs the module for GRE; ip tunnel creates the tunnel with GRETUN0 as the name for the tunnel. Remote and local are the same as source and destination. Don’t forget to type wq! to save the file after SHFIT+ESC and “:”. here i have used “VI” command to edit the configuration which is up to you among other methods. Verifying the output, use cat /etc/rc.local .you can use less or more instead of cat gives the same output. In case using less type “q” to quit out the output window and in other case user CTRL+C. [root@localhost ~]# cat /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don’t # want to do the fullSysVstyle init stuff. touch /var/lock/subsys/local modprobe ip_gre ip tunnel add GRETUN0 mode gre remote 192.168.5.55 local 192.168.5.167 ip link ls dev GRETUN0 ip link set GRETUN0 up ip link ls dev GRETUN0 ip addr add 10.10.10.1/30 dev GRETUN0 ip addr ls dev GRETUN0 ifconfig GRETUN0 mtu 1380 |
3. Static route is added for network 192.168.200.0/24
| Now add the static route as; [root@localhost ~]#route add -net 192.168.150.0 netmask 255.255.255.0 gw 10.10.10.2 Where 10.10.10.2 is the SRX‘s tunnel IP gateway for 192.168.150.0/24 network. Verifying the Route, you can use netstat –rn or route –n. Routing table verifies that the destination networks are routed as desired. [root@localhost ~]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.10.10.0 0.0.0.0 255.255.255.252 U 0 0 0 GRETUN0 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.200.0 10.10.10.2 255.255.255.0 UG 0 0 0 GRETUN0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 192.168.5.1 0.0.0.0 UG 0 0 0 eth0 |
After ending configuration on both side, now its time to verify the GRE Tunnel and traffic passing through the Tunnel of one of the most important thing. Firstly, I am going to verify the SRX side then Linux side one by one as below.
Verifying the output from Juniper SRX
| [edit] root@SRX# run show interfaces gr-0/0/0 terse Interface Admin Link Proto Local Remote gr-0/0/0 up up gr-0/0/0.0 up up inet 10.10.10.2/30 [edit] root@SRX# run show route 10.10.10.0 inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + =Active Route, – = Last Active, * = Both 10.10.10.0/30 *[Direct/0] 02:14:37 > via gr-0/0/0.0 [edit] root@SRX# run show route 192.168.150.0 inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden) + =Active Route, – = Last Active, * = Both 192.168.150.0/24 *[Static/5] 00:23:16 > via gr-0/0/0.0 [edit] root@SRX# run ping 192.168.150.1 PING192.168.150.1 (192.168.150.1): 56 data bytes 64 bytes from 192.168.150.1: icmp_seq=9 ttl=64 time=3.174 ms 64 bytes from 192.168.150.1: icmp_seq=10 ttl=64 time=3.418 ms 64 bytes from 192.168.150.1: icmp_seq=11 ttl=64 time=9.848 ms 64 bytes from 192.168.150.1: icmp_seq=12 ttl=64 time=3.739 ms 64 bytes from 192.168.150.1: icmp_seq=13 ttl=64 time=3.586 ms 64 bytes from 192.168.150.1: icmp_seq=14 ttl=64 time=9.751 ms 64 bytes from 192.168.150.1: icmp_seq=15 ttl=64 time=3.234 ms 64 bytes from 192.168.150.1: icmp_seq=16 ttl=64 time=10.499 ms 64 bytes from 192.168.150.1: icmp_seq=17 ttl=64 time=3.130 ms ^C — 192.168.150.1 ping statistics — 18 packets transmitted, 9 packets received, 50% packet loss round-trip min/avg/max/stddev = 3.130/5.598/10.499/3.147 ms The below output shows the statistics of GRE Tunnel (gr-0/0/0) where packets received and transmitted is going to check. Firstly, before initiating ICMP traffic from Linux side, I’ve cleared all the statistics of gr-0/0/0 interface as shown below. [edit] root@SRX# run show interfaces gr-0/0/0.0 extensive Logical interface gr-0/0/0.0 (Index 77) (SNMP ifIndex 529) (Generation 142) Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 192.168.5.167:192.168.5.55:47:df:64:0000000000000000 Encapsulation: GRE-NULL Gre keepalives configured: Off, Gre keepalives adjacency state: down Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http httpsikenetconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 0 Connections established : 0 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1380, Generation: 153, Route table: 0 Flags: Sendbcast-pkt-to-re, User-MTU Addresses, Flags: Is-Preferred Is-Primary Destination: 10.10.10.0/30, Local: 10.10.10.2, Broadcast: 10.10.10.3, Generation: 158 Now when I Initiated 5 ICMP packet traffic from Linux server to 192.168.200.1,The input and output bytes increases. It verifies that the traffic is reached to remote Network behind the Juniper SRX through GRE Tunnel. [edit] root@SRX# run show interfaces gr-0/0/0.0 extensive Logical interface gr-0/0/0.0 (Index 77) (SNMP ifIndex 529) (Generation 142) Flags: Point-To-Point SNMP-Traps 0x0 IP-Header 192.168.5.167:192.168.5.55:47:df:64:0000000000000000 Encapsulation: GRE-NULL Gre keepalives configured: Off, Gre keepalives adjacency state: down Traffic statistics: Input bytes : 420 Output bytes : 420 Input packets: 5 Output packets: 5 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 420 0 bps Output bytes : 420 0 bps Input packets: 5 0 pps Output packets: 5 0 pps Security: Zone: trust Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http httpsikenetconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp Flow Statistics : Flow Input statistics : Self packets : 5 ICMP packets : 5 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 420 Connections established : 5 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 420 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1380, Generation: 153, Route table: 0 Flags: Sendbcast-pkt-to-re, User-MTU Addresses, Flags: Is-Preferred Is-Primary Destination: 10.10.10.0/30, Local: 10.10.10.2, Broadcast: 10.10.10.3, Generation: 158 |
Verifying output from Linux server
| Verifying the GRE tunnel [root@localhost ~]# ip link 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:2c:3e:0c brd ff:ff:ff:ff:ff:ff 3: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 4: gre0: <NOARP> mtu 1476 qdisc noop link/gre 0.0.0.0 brd 0.0.0.0 5: GRETUN0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue link/gre 192.168.5.167 peer 192.168.5.55 The above verify that the configured GRE Tunnel “GRETUN0” is up [root@localhost ~]# ip tun sit0: ipv6/ip remote any local any ttl 64 nopmtudisc gre0: gre/ip remote any local any ttl inherit nopmtudisc GRETUN0: gre/ip remote 192.168.5.55 local 192.168.5.167 ttl inherit [root@localhost ~]# The above output verifies that the GRE tunnel has proper local and peer gateways [root@localhost ~]# ping 10.10.10.1 PING10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=0.054 ms 64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=0.031 ms 64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=0.035 ms — 10.10.10.1 ping statistics — 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.031/0.040/0.054/0.010 ms Now checking the rechability to remote site GRE Tunnel interface IP of Juniper SRX from Linux Server. [root@localhost ~]# ping 10.10.10.2 PING10.10.10.2 (10.10.10.2) 56(84) bytes of data. 64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=5.90 ms 64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=3.23 ms 64 bytes from 10.10.10.2: icmp_seq=3 ttl=255 time=3.20 ms 64 bytes from 10.10.10.2: icmp_seq=4 ttl=255 time=3.25 ms — 10.10.10.2 ping statistics — 4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 3.225/3.972/6.113/1.238 ms [root@localhost ~]# ping 192.168.200.1 PING192.168.200.1 (192.168.200.1) 56(84) bytes of data. 64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=1.05 ms 64 bytes from 192.168.200.1: icmp_seq=2 ttl=64 time=1.11 ms 64 bytes from 192.168.200.1: icmp_seq=3 ttl=64 time=1.07 ms 64 bytes from 192.168.200.1: icmp_seq=4 ttl=64 time=1.18 ms 64 bytes from 192.168.200.1: icmp_seq=5 ttl=64 time=1.07 ms — 192.168.200.1 ping statistics — 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 1.050/1.099/1.182/0.062 ms The below traceroute output shows that rechability to network 192.168.200.0/24 is as expected since both interface GRE Tunnel and Remote Network interface are defined under a single zone. [root@localhost ~]# traceroute 192.168.200.1 traceroute to 192.168.200.1 (192.168.200.1), 30 hops max, 40 byte packets 1 (192.168.200.1) 13.462 ms 13.714 ms 15.018 ms The below output shows the statistics of GRETUN0 where packets received and transmitted is going to check. Firstly, before initiating ICMP traffic from SRX side, below is the status of Rx and Tx. [root@localhost ~]# ifconfig GRETUN0 GRETUN0 Link encap:UNSPEC HWaddr C0-A8-05-A7-05-08-80-4C-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1380 Metric:1 RX packets:137 errors:0 dropped:0 overruns:0 frame:0 TX packets:449 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:10780 (10.5 KiB) TX bytes:47980 (46.8 KiB) When I initiated 10 ICMP packets to remote network 192.168.150.1 from SRX, the Rx & Tx of GRETUN0 increases by number of sending packets. It verifies that traffic passes through the GRE Tunnel interface. [root@localhost ~]# ifconfig GRETUN0 GRETUN0 Link encap:UNSPEC HWaddr C0-A8-05-A7-05-08-80-EC-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1380 Metric:1 RX packets:147 errors:0 dropped:0 overruns:0 frame:0 TX packets:459 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11620 (11.3 KiB) TX bytes:49060 (47.9 KiB) [root@localhost ~]# ifconfig GRETUN0 GRETUN0 Link encap:UNSPEC HWaddr C0-A8-05-A7-05-08-80-4C-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.1 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1380 Metric:1 RX packets:157 errors:0 dropped:0 overruns:0 frame:0 TX packets:469 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:12460 (12.1 KiB) TX bytes:50140 (48.9 KiB) |
It would be very helpful to create a GRE Tunnel for the network scenario as mention above where it becomes a Network Scenario of Junos Running Juniper SRX in one side and Linux in another side.