[j-nsp] SRX/J VPN BGP with multiple proxy-ids

Stefan Fouant sfouant at shortestpathfirst.net
Wed Feb 3 22:27:35 EST 2010


> -----Original Message-----
> From: Michael Dale [mailto:mdale at dalegroup.net]
> Sent: Wednesday, February 03, 2010 10:15 PM
> To: Stefan Fouant
> Cc: 'Brandon Bennett'; 'juniper-nsp'
> Subject: Re: [j-nsp] SRX/J VPN BGP with multiple proxy-ids
> 
> 	Somebody needs to open an enhancement request to allow multiple
> Proxy-IDs to
> 	be configured for a Route-based VPN.
> 
> 
> This was added in ScreenOS 6.3
> 
> 
> http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_rn_
> r2.pdf
> "Support for Multiple Proxy IDs Over Route-Based VPN-ScreenOS 6.3.0
> supports multiple proxy IDs on a route-based VPN. If multiple tunnels
> exist between peers, the security device uses proxy IDs to route the
> traffic through a particular tunnel. For each proxy ID, a specific
> tunnel and Phase 2 SA are associated. When traffic matching a proxy ID
> arrives, the security device does a proxy-ID check to route that
> traffic. If multiple proxy IDs are defined for a route-based VPN, a
> proxy ID check is always performed, even if it is disabled. In a hub-
> and-spoke topology, proxy IDs should be defined for both hub-to-spoke
> and spoke-to-spoke configurations."
> 
> 
> Not sure about the SRX unfortunately.

Yep, I'm aware of support for that in ScreenOS 6.3.  My good friend Joe Kim
was actually the one who put in that ER back in 2007... glad to see they
finally added it.

Now let's see how long they take to add that support in SRX. ;)

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



More information about the juniper-nsp mailing list