IS-IS over tunnel

[Peter]

Hi All

I was able to configure IS-IS over GRE tunnel on SRX. However, IS-IS over GRE over route-based IPSec tunnel is not working for me. Is it supposed to work at all? It does not look like an MTU issue because I increased MTU on physical interfaces to 2000.

Thanks in advance,

Peter

[dark_15]

Can you post your configuration?

[dark_15]

Actually, nevermind that makes sense now - you see IS-IS is non-IP traffic, and I don't think the st0 interfaces can carry non-IP traffic (unlike GRE tunnels). So if you want to send IS-IS traffic down a tunnel then you can use GRE, and then use GRE over IPSEC in order to encrypt the traffic between endpoints.

On Sunday, August 19, 2012 7:52:20 PM UTC-4, dark_15 wrote:

Can you post your configuration?

[Peter]

Hi

This is exactly what I was trying to do - ISIS over GRE over IPSec. My config (relevant parts) from one side is below, other side is configured symmetrically. Note that IS-IS adjacency is up on interface gr-0/0/0.1 which is usual GRE interface, but not on gr-0/0/0.0 which goes via tunnel. The tunnel is up and pings go ok through it. In debug and monitor traffic, I see that GRE encapsulated ISIS hellos go to tunnel, but none returns.

interfaces {

    gr-0/0/0 {                          

        unit 0 {

            clear-dont-fragment-bit;

            tunnel {

                source 10.200.0.23;

                destination 10.200.0.240;

                allow-fragmentation;

            }

            family inet {

                mtu 1500;

                address 10.250.0.23/24;

            }

            family iso;

        }

        unit 1 {

            clear-dont-fragment-bit;

            tunnel {

                source 10.1.0.23;

                destination 10.1.0.240;

                allow-fragmentation;

            }

            family inet {

                mtu 1500;

                address 10.251.0.23/24;

            }

            family iso;

        }

    }

    ge-0/0/1 {

        unit 0 {

            family inet {

                address 10.1.0.23/24;

            }

        }

    }

    ge-0/0/3 {

        mtu 2000;

        unit 0 {

            family inet {               

                address 10.3.0.23/24;

            }

            family iso;

        }

    }

    lo0 {

        unit 0 {

            family iso {

                address 49.0001.1111.1111.1111.00;

            }

        }

    }

    st0 {

        unit 0 {

            family inet {

                mtu 1750;

                address 10.200.0.23/24;

            }

        }

    }

}

protocols {

    isis {

        interface gr-0/0/0.0;

        interface gr-0/0/0.1;

    }

}

security {

    ike {

        respond-bad-spi 20;

        policy ike-pol {

            mode main;                  

            proposal-set standard;

            pre-shared-key ascii-text "$9$eiFMLNs2aikPdbkP5Q9CKM8"; ## SECRET-DATA

        }

        gateway gw1 {

            ike-policy ike-pol;

            address 10.3.0.240;

            external-interface ge-0/0/3;

        }

    }

    ipsec {

        policy ipsec-pol {

            proposal-set standard;

        }

        vpn vpn1 {

            bind-interface st0.0;

            ike {

                gateway gw1;

                ipsec-policy ipsec-pol;

            }

            establish-tunnels immediately;

        }

    }

    policies {

        default-policy {

            permit-all;

        }

    }

    zones {

        security-zone trust {

            interfaces {

                all {

                    host-inbound-traffic {

                        system-services {

                            all;