[j-nsp] JunOS route-based VPN: multiple st interfaces

Fahad Khan fahad.khan at gmail.com
Sun Dec 12 14:31:42 EST 2010


Hello Jonathan,

let me know which junos version are u using?

You should use two st0.x interfaces like st0.1 and st0.2, the primary route
should use st0.1 and the secondary route should use st0.2. It should be
straight forward. keep using VPN monitor. Use re-key and DPD for proper
tunnel failover.

Let me know if you find any difficulty.

regards,

Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan


On Tue, Nov 30, 2010 at 9:19 PM, Adam Leff <adam at leff.co> wrote:

> On Tue, Nov 30, 2010 at 3:58 AM, Jonathan Lassoff <jof at thejof.com> wrote:
>
> > On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff <adam at leff.co> wrote:
> > > Also, for what it's worth, I do have multiple logical interfaces under
> > st0
> > > (i.e. st0.0 and st0.1) and it is working without requiring NHTB.
> >
> > Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
> > "bind-interface" statement, but the iff hierarchy under st0 *doesn't*
> > have a "next-hop-tunnel" statement?
> >
>
> Yes.  We run either BGP or OSPF over the tunnel links, so no
> next-hop-tunnel
> statements are required.  Are you binding "st0" or the full "st0.1"
> interface to your VPN?
>
> Here's a snippet of our config.  Feel free to contact me off-list with your
> config and I'm happy to give it a glance.
>
> in [edit security]:
> ike {
>    policy phx1 {
>        mode main;
>        proposal-set compatible;
>        pre-shared-key ascii-text "<redacted>";
>    }
>    gateway phx1 {
>        ike-policy phx1;
>        address <redacted>;
>        external-interface ge-4/0/0.0;
>    }
> }
> ipsec {
>    vpn phx1 {
>        bind-interface st0.1;
>        vpn-monitor;
>        ike {
>            gateway phx1;
>            ipsec-policy compatible;
>        }
>        establish-tunnels immediately;
>    }
> }
>
> in [edit interfaces]:
> st0 {
>    unit 1 {
>        description "VPN to PHX1";
>        family inet {
>            address 10.10.11.8/31;
>         }
>    }
> }
>
>
>
>
> > > Do you have all the pre-requisites set up?  i.e. st0.1 in the proper
> > > security zone, a route pointed down st0.1 for the traffic to be
> tunneled,
> > > etc.?
> >
> > I'm pretty sure everything looks right (but just to me, so it's
> > certainly possible that there's a bug or two in my config). st0.1 is
> > in a security zone that has policies to permit vpn-monitor ICMP
> > traffic, and I'm not even routing over the st0.1 interface yet, just
> > pinging the remote end.
> >
> > Cheers,
> > jof
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list