[j-nsp] SRX/J VPN BGP with multiple proxy-ids

Stefan Fouant sfouant at shortestpathfirst.net
Wed Feb 3 10:21:04 EST 2010


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Brandon Bennett
> Sent: Tuesday, February 02, 2010 11:16 PM
> To: juniper-nsp
> Subject: [j-nsp] SRX/J VPN BGP with multiple proxy-ids
> 
> I have a unique situaion where I cam trying to bring up an IPSec VPN on
> a
> J-series running 10.0.
> 
> The VPN is terminated on an IOS device on the far end and has multiple
> proxy-ids but i also need to run local BGP across the VPN (probably a
> pretty
> unique situation).
> 
> It seems that a route-based VPN will support BGP but only a single
> proxy-id
> is supported.
> 
> A policy-based VPN will support mutliple proxy-ids but it seems that
> BGP
> doesn't go through the policy so it will not come up.
> 
> Does anyone know of any work arounds to either have multiple proxy-ids
> with
> route-based vpns (desirable) or configure BGP to be proccessed by the
> zone
> policies?

This is a common problem.  Essentially, Cisco creates a separate SA for each
subnet pairing (i.e Proxy-ID).  Therefore since there will be multiple
Proxy-IDs which you need to support, the Route-Based VPN is pretty much out
of the question, as you've surmised.  You can use a policy-based VPN and
simply create separate policies for the various traffic you will need to
tunnel.  Make sure the source and destination addresses in your policies
match that of the Proxy-IDs on the Cisco side, as the Proxy-IDs are
automatically derived from the policy in a policy-based VPN in Juniper.

HTHs.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



More information about the juniper-nsp mailing list