Good Afternoon,

I am workign to configure a dynamic VPN on a VSRX located in AWS.  I am running into no proposal selected errors when I try to connect.

Here's how things look on the SRX side, error wise:

[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ike_st_i_sa_proposal: Start
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ike_process_packet: No output packet, returning
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup_by_addr: Found SA-CFG CORIOS-AWS-VSRX-2-VPN by ip address for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1 remote_port:22709 ksa_cfg_remote_port=4500
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate id NOT matched.
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8f29e00)

Similarly, I run into this client side (NCP Exclusive Access client)

2/28/2019 1:40:12 PM - IpsDial: connection time interface choice,LocIpa=10.1.11.146,AdapterIndex=201
2/28/2019 1:40:12 PM - Ike: Outgoing connect request AGGRESSIVE mode - gateway=XXX.XXX.XXX.XXX : Corios VPN2
2/28/2019 1:40:12 PM - Ike: ConRef=82, XMIT_MSG1_AGGRESSIVE, name=Corios VPN2, vpngw=XXX.XXX.XXX.XXX:500
2/28/2019 1:40:12 PM - ike_phase1:send_id:ID_USER_FQDNid=0,port=0,itadmins@coriosgroup.com
2/28/2019 1:40:12 PM - Ike: ConRef=82, Send NAT-D vendor ID,remprt=500
2/28/2019 1:40:12 PM - Ike: ConRef=82, NOTIFY : Corios VPN2 : RECEIVED : NO_PROPOSAL_CHOSEN : 14

Here's my IKE config:

proposal PSK-DH19-AES256-SHA256-L28800 {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}

policy Corios-VPN-IKE-Pol {
mode aggressive;
proposals PSK-DH19-AES256-SHA256-L28800;
pre-shared-key ascii-text "SHARED SECRET HASH"; ## SECRET-DATA
}

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/0.0;
aaa {
access-profile LOCAL_AUTH;
}
version v1-only;
tcp-encap-profile NCP;
}

Here's my IPSEC config:

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}

vpn Corios-VPN {
bind-interface st0.9;
ike {
gateway Corios-VPN-IKE-GW;
ipsec-policy Corios-VPN-IPSEC-Pol;
}
traffic-selector TS1 {
local-ip 0.0.0.0/0;
remote-ip 0.0.0.0/0;
}
}

Here's the config for the tunnel interface:

ec2-user@VSRX2> show configuration interfaces st0.9
enable;
description VPN;
family inet {
mtu 1436;
address 10.132.3.1/24;
}

It's also in a security zone:

ec2-user@VSRX2> show configuration security zones security-zone vpn
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.9;
}

The attached images are screenshots from the NCP client config.

One other thing I should also mention is that I have several site-to-s-te VPNs landing on this VSRX.  They're working.

Whatever I'm doing wrong here just isn't making sense to me.  Thanks in advance for pointing me in the right direction.

Thanks for the info. Does it means safer to use D150?

The new link provided works. Thanks.

For what it’s worth D170 is out now.

PFS is enabled in NCP configuration. I do not see srx ipsec policy config in your post. Please check whether pfs is enabled on SRX

Also enable ike debug on srx  to see what proposal you are getting from NCP

1. Enable debug on srx

request security ike debug-enable local <ge-0/0/0.0 ip> remote <peer-ip> level 12

2. monitor kmd log file

monitor start kmd

3. Initiate connection from NCP

4. Check kmd log for error/mismatch and then disable ike debug

monitor stop kmd

request security ike debug-disable

Hi

no proposal chosen in your case can also mean you have the wrong authentication method

this is what I see :

on SRX:   user@hostname

on client : FQDN

so make it the same on both sides and see whats happening then

regards

Alexander

PS I had the same problem 2 months ago, it took me 2 hours to find it out, that no proosal chosen sometimes has nothing to do with your proposals

Thanks for getting back to me Alexander.

The choices I have for the local identity type  in the NCP client are

IPv4 address

FQDN (Fully Qualified Domain Name)

U-FQDN (Fully Qualified Username)

ASN.1 DN (ASN.1 Disginguished Name)

I think the fully qualified username is the same as user@hostname.

I've found some interesting things in the logs:

[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] Parsing notification payload for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] Search for a tunnel matching the IKE peers, local:10.132.0.52, remote:YYY.YYY.YYY.YYY IKEv1
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup_by_addr: Found SA-CFG CORIOS-AWS-VSRX-2-VPN by ip address for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1 remote_port:14947 ksa_cfg_remote_port=4500
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_idv2_to_idv1: Converting the IKEv2 payload ID IDa(type = email (3), len = 24, value = itadmins@coriosgroup.com) to IKEv1 ID
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_idv2_to_idv1: IKEv2 payload ID converted to IKEv1 payload ID usr@fqdn(any:0,[0..23]=itadmins@coriosgroup.com)
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate called with id usr@fqdn(any:0,[0..23]=itadmins@coriosgroup.com)
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate Use default id [ipv4(any:0,[0..3]=XXX.XXX.XXX.XXX)]
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate id NOT matched.
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup: Setting tunnel-event Peer's IKE-ID validation failed during negotiation for P1-SA 5426182
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] address based lookup failed, ID not match: Sa_cfg:CORIOS-AWS-VSRX-2-VPN Gateway:CORIOS-PREM-SRX
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Mar 1 18:17:21][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8f29e00)

I already have an IPSEC tunnel (site to site, not dynamic) that has the same source and destination IPs that are showing up on the logs.  Do they need to be different?

Yes, it should be different. In this case, dynamic vpn request is matching with site-to-site vpn CORIOS-AWS-VSRX-2-VPN  [Gateway:CORIOS-PREM-SRX] and not with dynamic vpn config. You may have to use different nat ip for client side.

Hello,

I have a few switches connected in an RSTP ethernet ring.  I would like to use Juniper SRX 340 as my gateway for all the applications and to permit and deny routing between the vlans on the ring.  I will be using two SRXs and VRRP to elect the master gateway.

I have 8 applications, each on a separate VLAN and subnet.  The Junipers needs to be able to participate in each VLAN, and have a logical IP address for each VLAN (as well as a shared VRRP address for each subnet that is available on both).

I think I know how to do most of this however I haven't been able to find examples of creating VLAN interfaces that aren't attached to physical interfaces.  So hopefully someone can tell me how to do that part only.  So I will have two physical ports that are trunk ports and members of each VLAN, then 8 logical interfaces with IP addresses 1 for each VLAN.  Then all traffic destined for outside networks will be routed out 1 of 2 uplink ports to other networks. 

If I can get info on how to create logical L3 interfaces attached to the VLAN without a physical interface I can probably figure out all the VRRP and other stuff myself.

Thanks

1. Define vlans
set vlan-10 vlan-id 10
set vlan-10 l3-interface irb.10;
set vlan-20 vlan-id 20
set vlan-20 l3-interface irb.20;
set vlan-30 vlan-id 30
set vlan-30 l3-interface irb.30;
set vlan-40 vlan-id 40
set vlan-40 l3-interface irb.40;
set vlan-50 vlan-id 50
set vlan-50 l3-interface irb.50;
set vlan-60 vlan-id 60
set vlan-60 l3-interface irb.60;
set vlan-70 vlan-id 70
set vlan-70 l3-interface irb.70;
set vlan-80 vlan-id 80
set vlan-80 l3-interface irb.80;

2. Configure l3 interface for each vlans.
set interfaces irb unit 10 family inet address 192.168.10.1/24
set interfaces irb unit 20 family inet address 192.168.20.1/24
set interfaces irb unit 30 family inet address 192.168.30.1/24
set interfaces irb unit 40 family inet address 192.168.40.1/24
set interfaces irb unit 50 family inet address 192.168.50.1/24
set interfaces irb unit 60 family inet address 192.168.60.1/24
set interfaces irb unit 70 family inet address 192.168.70.1/24
set interfaces irb unit 80 family inet address 192.168.80.1/24

3. Configure the interface as trunks and allow all the vlans or only the configured 8 vlans to the interface
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members [all or add 8 vlan-name]

4. Configure security zone and add the irb interfaces to it. You may use same zone or use different zone for each vlan

set security zones security-zone trust interfaces irb.10
set security zones security-zone trust interfaces irb.20
set security zones security-zone trust interfaces irb.30
set security zones security-zone trust interfaces irb.40
set security zones security-zone trust interfaces irb.50
set security zones security-zone trust interfaces irb.60
set security zones security-zone trust interfaces irb.70
set security zones security-zone trust interfaces irb.80

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

5. Configure security policies. [as per this config trust to trust]

6. Configure vrrp and other stuff

This appears to work however I had to put the keyword vlans after the set command.

However, all the irb interfaces are in down state.  How do I bring them up?

thanks fro replying.. as soon as  i enabled the vpn-monitoring the connection droppped longer and i ve disabled it again. I saw these errors during the disconnection : :

> show log messages | match 64.13

Mar 1 22:07:34 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6188.
Mar 1 22:07:44 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6195.
Mar 1 22:07:54 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf619a.
Mar 1 22:08:04 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf61a5.
Mar 1 22:08:14 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf61b5.
Mar 1 22:08:27 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/124, ESP, SPI 0x996e2627, SEQ 0xf61c1.
Mar 1 22:09:08 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/124, ESP, SPI 0x996e2627, SEQ 0xf61f0.
Mar 1 22:09:14 srx240-01 kmd[12761]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: Not-Available Gateway: Not-Available, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 1 22:09:39 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf621c.
Mar 1 22:09:48 srx240-01 kmd[12761]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 1 22:09:49 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6227.
Mar 1 22:09:59 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6238.
Mar 1 22:10:09 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6245.
Mar 1 22:10:19 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6252.
Mar 1 22:10:29 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf6260.
Mar 1 22:10:39 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf626e.
Mar 1 22:10:49 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf627d.
Mar 1 22:10:59 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf628a.
Mar 1 22:11:19 srx240-01 RT_IPSEC: RT_IPSEC_BAD_SPI: IPSec tunnel on int ge-0/0/0.0 with tunnel ID 0x20001 received a packet with a bad SPI. 64.13.163.35->50.208.33.177/100, ESP, SPI 0x996e2627, SEQ 0xf62a8.
Mar 1 22:11:24 srx240-01 mgd[16776]: UI_CMDLINE_READ_LINE: User 'obakmaz', command 'show log messages | match 64.13 '
Mar 1 22:11:34 srx240-01 mgd[16776]: UI_CMDLINE_READ_LINE: User 'obakmaz', command 'show log kmd-logs | match 64.13 '
Mar 1 22:11:39 srx240-01 kmd[12761]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 1 22:11:50 srx240-01 kmd[12761]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 1 22:12:21 srx240-01 kmd[12761]: IKE negotiation failed with error: SA unusable. IKE Version: 1, VPN: svcolo Gateway: gw_svcolo, Local: 50.208.33.177/500, Remote: 64.13.163.35/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Mar 1 22:12:42 srx240-01 kmd[12761]: KMD_PM_SA_ESTABLISHED: Local gateway: 50.208.33.177, Remote gateway: 64.13.163.35, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: inbound, SPI: 0xc14c5c07, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Mar 1 22:12:42 srx240-01 kmd[12761]: KMD_PM_SA_ESTABLISHED: Local gateway: 50.208.33.177, Remote gateway: 64.13.163.35, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Direction: outbound, SPI: 0x621fd29b, AUX-SPI: 0, Mode: Tunnel, Type: dynamic
Mar 1 22:12:42 srx240-01 kmd[12761]: KMD_VPN_UP_ALARM_USER: VPN svcolo from 64.13.163.35 is up. Local-ip: 50.208.33.177, gateway name: gw_svcolo, vpn name: svcolo, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: Not-Available, Local IKE-ID: 50.208.33.177, Remote IKE-ID: 64.13.163.35, XAUTH username: Not-Applicable, VR id: 0
Mar 1 22:13:08 srx240-01 mgd[16776]: UI_CMDLINE_READ_LINE: User 'obakmaz', command 'show log kmd-logs | match 64.13 '
Mar 1 22:13:20 srx240-01 mgd[16776]: UI_CMDLINE_READ_LINE: User 'obakmaz', command 'show log messages | match 64.13 '

In order for an irb interface to come up at least one physical interface in the same vlan has to be link up. 

There is a physical interface trunked vlan and it is up.  All vlans are on this interface.

Hi,

I did a quick lab test. Interface was down after the commit. I had to reboot the firewall to get the irb interface up since I was switching from route mode to mix mode.

root@srx# commit
warning: Interfaces are changed from route mode to mix mode. Please use the command request system reboot on current node or all nodes in case of HA cluster!
commit complete

Configuration:

set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan100
set interfaces irb unit 100 family inet address 192.168.100.10/24
set vlans vlan100 vlan-id 100
set vlans vlan100 l3-interface irb.100

Interface Status:

root@srx> show interfaces irb terse
Interface Admin Link Proto Local Remote
irb up up
irb.100 up up inet 192.168.100.10/2

Which platform and version are you using?

I hope this helps.

Regards,

Vikas

Hello,

I've trying to setup a cluster of SRX210 and ingest an IP via Hub 3.0 in modem mode, which works fine cloning the mac on the reth0 interface (reth0 outside, reth1 inside). Unfortunately, I can't ping Google from the firewall.

This same setup worked previously with no cluster with only one unit, although with some random issues where I lost the public IP on the firewall. Overall, it seems like VM Hub 3.0 doesn't work rock-solidly in modem mode, and also it depends a lot on the hardware you behind. 

The first setup was to have PFsense virtually which worked perfectly, but now I'm not sure whether it's the firmware on the Hub or it's something wrong on my SRX configuration.

What annoys and confuses me is the fact that I'm getting (Access-internal/12), where I received "default" (if I remember correctly when I had only one single unit). Another fact is that I'm stripping the VLAN 100 tag from the switch to the Hub3 but tagging it back on the LACP to the SRX cluster. I can see ARP from the street VM cabinets, and I get the public IP correctly although something is wrong as it doesn't work. This same method worked correctly.

root@firewall_node01> show route

inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:13:56

                    > to 82.6.88.1 via reth0.100

Any help would be great.

Thanks,

Alberto.

so far.. inter-zone and intra-zone ... both the same and i managed to reduce the amount of zones to fit on an srx300 (max 16)... so all good

Hi test20001,

Im glad to hear that everything is working fine. If you consider the post resolved, please mark it as Resolved so that future users can use it as a reference.

HI All,

Bit stuck here... so i have followed https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227 which works great...

Though now both the ISP facing interfaces tied to a virtual-router type routing-instance, I want to have a default route on SRX-1 within the global routing table for internet breakout... So i need to leak out the default routes from the virtual-routers to the global routing table... though it looks like you can only do with a vrf type routing-instance..?

So has anyone managed to import a route from virtual-router.inet.0 to inet.0 ... ? As currenlty i can't see an option...