[j-nsp] JunOS route-based VPN: multiple st interfaces

Jonathan Lassoff jof at thejof.com
Tue Nov 30 03:58:45 EST 2010

On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff <adam at leff.co> wrote:
> Also, for what it's worth, I do have multiple logical interfaces under st0
> (i.e. st0.0 and st0.1) and it is working without requiring NHTB.

Without NHTB? So the "security ipsec vpn XXX" hierarchy has a
"bind-interface" statement, but the iff hierarchy under st0 *doesn't*
have a "next-hop-tunnel" statement?

> Do you have all the pre-requisites set up?  i.e. st0.1 in the proper
> security zone, a route pointed down st0.1 for the traffic to be tunneled,
> etc.?

I'm pretty sure everything looks right (but just to me, so it's
certainly possible that there's a bug or two in my config). st0.1 is
in a security zone that has policies to permit vpn-monitor ICMP
traffic, and I'm not even routing over the st0.1 interface yet, just
pinging the remote end.


More information about the juniper-nsp mailing list