[j-nsp] SRX/J VPN BGP with multiple proxy-ids

Brandon Bennett bennetb at gmail.com
Wed Feb 3 16:49:00 EST 2010


> This is a common problem.  Essentially, Cisco creates a separate SA for each
> subnet pairing (i.e Proxy-ID).  Therefore since there will be multiple
> Proxy-IDs which you need to support, the Route-Based VPN is pretty much out
> of the question, as you've surmised.  You can use a policy-based VPN and
> simply create separate policies for the various traffic you will need to
> tunnel.  Make sure the source and destination addresses in your policies
> match that of the Proxy-IDs on the Cisco side, as the Proxy-IDs are
> automatically derived from the policy in a policy-based VPN in Juniper.


We have gone down that road but it seems that the local BGP process
does not get proccessed by the inter-area policy (in my case trust to
untrust) and so does not go down the IPSEC tunnel.  It seems that on
the SRX/J-ES that the only way to get this to work is to route-based
VPN (which we are back at the proxy-id support)

-Brandon


More information about the juniper-nsp mailing list