[j-nsp] JunOS route-based VPN: multiple st interfaces

Adam Leff adam at leff.co
Mon Nov 29 21:45:09 EST 2010


I believe you need to look into NHTB (Next-Hop Tunnel Binding) that will
allow you to use the one st0.0 interface but bind multiple tunnels.

Check out the following doc:


On Mon, Nov 29, 2010 at 7:51 PM, Jonathan Lassoff <jof at thejof.com> wrote:

> I'm trying to setup an SRX in my office as a branch office with two
> ISP connections, and I'd like to run an IPSec path over each back to
> our datacenter. Ideally, I could terminate each tunnel on a separate
> st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only
> try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a
> second bound to st0.1, but it would never even try to send IKE traffic
> to start the connection.
> So, I've got some failover working now by doing hub-and-spoke (in a
> bit of a reverse fashion: one device at the datacenter, two paths to
> the branch device) style config -- both VPNs are tied to st0.0 which
> is configured as a multipoint interface. My only trouble now is
> directing st0.0 traffic down a specific interface, it seems like there
> isn't a way to tell it which VPN tunnel to prefer for sending traffic
> down.
> Any ideas or opinions on what the right way to do this is? I feel like
> two separate st0 units makes the most sense, but it's stumping me as
> to why it never tries to establish a session.
> Cheers,
> jof
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list