[j-nsp] SRX/J VPN BGP with multiple proxy-ids
Stefan Fouant
sfouant at shortestpathfirst.net
Wed Feb 3 21:45:11 EST 2010
> -----Original Message-----
> From: Brandon Bennett [mailto:bennetb at gmail.com]
> Sent: Wednesday, February 03, 2010 4:49 PM
> To: Stefan Fouant
> Cc: juniper-nsp
> Subject: Re: [j-nsp] SRX/J VPN BGP with multiple proxy-ids
>
> > This is a common problem. Essentially, Cisco creates a separate SA
> for each
> > subnet pairing (i.e Proxy-ID). Therefore since there will be
> multiple
> > Proxy-IDs which you need to support, the Route-Based VPN is pretty
> much out
> > of the question, as you've surmised. You can use a policy-based VPN
> and
> > simply create separate policies for the various traffic you will need
> to
> > tunnel. Make sure the source and destination addresses in your
> policies
> > match that of the Proxy-IDs on the Cisco side, as the Proxy-IDs are
> > automatically derived from the policy in a policy-based VPN in
> Juniper.
>
>
> We have gone down that road but it seems that the local BGP process
> does not get proccessed by the inter-area policy (in my case trust to
> untrust) and so does not go down the IPSEC tunnel. It seems that on
> the SRX/J-ES that the only way to get this to work is to route-based
> VPN (which we are back at the proxy-id support)
Ok, I've done this before on SSG, I have yet to try it out on SRX platforms,
but this might work...
Try creating two separate IPsec AutoKey entries, and bind them both to the
same IKE gateway and the same tunnel interface. Then specify a separate
Proxy ID pairing for each IPsec AutoKey entry, and hopefully you should be
good.
Somebody needs to open an enhancement request to allow multiple Proxy-IDs to
be configured for a Route-based VPN. And the SRX documentation leaves a lot
to be desired unfortunately.
Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
More information about the juniper-nsp
mailing list