[j-nsp] SRX/J VPN BGP with multiple proxy-ids
Brandon Bennett
bennetb at gmail.com
Wed Feb 3 16:49:00 EST 2010
> This is a common problem. Essentially, Cisco creates a separate SA for each
> subnet pairing (i.e Proxy-ID). Therefore since there will be multiple
> Proxy-IDs which you need to support, the Route-Based VPN is pretty much out
> of the question, as you've surmised. You can use a policy-based VPN and
> simply create separate policies for the various traffic you will need to
> tunnel. Make sure the source and destination addresses in your policies
> match that of the Proxy-IDs on the Cisco side, as the Proxy-IDs are
> automatically derived from the policy in a policy-based VPN in Juniper.
We have gone down that road but it seems that the local BGP process
does not get proccessed by the inter-area policy (in my case trust to
untrust) and so does not go down the IPSEC tunnel. It seems that on
the SRX/J-ES that the only way to get this to work is to route-based
VPN (which we are back at the proxy-id support)
-Brandon
More information about the juniper-nsp
mailing list