[j-nsp] JunOS route-based VPN: multiple st interfaces

Adam Leff adam at leff.co
Mon Nov 29 21:49:47 EST 2010


Also, for what it's worth, I do have multiple logical interfaces under st0
(i.e. st0.0 and st0.1) and it is working without requiring NHTB.  This is on
a J-series running 9.6R4.4, not an SRX, so I can't speak to your specific
setup.

Do you have all the pre-requisites set up?  i.e. st0.1 in the proper
security zone, a route pointed down st0.1 for the traffic to be tunneled,
etc.?

~Adam

On Mon, Nov 29, 2010 at 9:45 PM, Adam Leff <adam at leff.co> wrote:

> Jonathan-
>
> I believe you need to look into NHTB (Next-Hop Tunnel Binding) that will
> allow you to use the one st0.0 interface but bind multiple tunnels.
>
> Check out the following doc:
> http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40796.html
>
> ~Adam
>
>
> On Mon, Nov 29, 2010 at 7:51 PM, Jonathan Lassoff <jof at thejof.com> wrote:
>
>> I'm trying to setup an SRX in my office as a branch office with two
>> ISP connections, and I'd like to run an IPSec path over each back to
>> our datacenter. Ideally, I could terminate each tunnel on a separate
>> st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only
>> try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a
>> second bound to st0.1, but it would never even try to send IKE traffic
>> to start the connection.
>>
>> So, I've got some failover working now by doing hub-and-spoke (in a
>> bit of a reverse fashion: one device at the datacenter, two paths to
>> the branch device) style config -- both VPNs are tied to st0.0 which
>> is configured as a multipoint interface. My only trouble now is
>> directing st0.0 traffic down a specific interface, it seems like there
>> isn't a way to tell it which VPN tunnel to prefer for sending traffic
>> down.
>>
>> Any ideas or opinions on what the right way to do this is? I feel like
>> two separate st0 units makes the most sense, but it's stumping me as
>> to why it never tries to establish a session.
>>
>> Cheers,
>> jof
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


More information about the juniper-nsp mailing list