[j-nsp] JunOS route-based VPN: multiple st interfaces

Jonathan Lassoff jof at thejof.com
Mon Nov 29 19:51:05 EST 2010


I'm trying to setup an SRX in my office as a branch office with two
ISP connections, and I'd like to run an IPSec path over each back to
our datacenter. Ideally, I could terminate each tunnel on a separate
st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only
try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a
second bound to st0.1, but it would never even try to send IKE traffic
to start the connection.

So, I've got some failover working now by doing hub-and-spoke (in a
bit of a reverse fashion: one device at the datacenter, two paths to
the branch device) style config -- both VPNs are tied to st0.0 which
is configured as a multipoint interface. My only trouble now is
directing st0.0 traffic down a specific interface, it seems like there
isn't a way to tell it which VPN tunnel to prefer for sending traffic
down.

Any ideas or opinions on what the right way to do this is? I feel like
two separate st0 units makes the most sense, but it's stumping me as
to why it never tries to establish a session.

Cheers,
jof


More information about the juniper-nsp mailing list