[j-nsp] SRX - policy based vpn question in a hub-spoke configuration

Matt Yaklin myaklin at g4.net
Fri May 27 11:43:17 EDT 2011

Hi all,

Is it still a true statement that SRXs cannot properly do a policy based
vpn in a hub and spoke configuration? As in, if the SRX is in the hub
position it fails to route packets from a remote site to another remote
site when using policy based VPNs?

I found a post on juniper.net's forum and I wanted to double check this
statement below with folks here.

"Aweck is correct. Policy-based VPNs don't work in hub and spoke precisely 
due to no way to perform two policy lookups for same packet traversing the 
box. Also you can do a route-based on one side and a policy-based on the 
other. The method that is used is primarily to determine what traffic 
needs to be encrypted and each endpoint may make that determination which 
ever way it needs to. So you can do route-based on SRX side and keep Cisco 
as policy-based. Just remember that SRX will use proxy-id as all zeroes. 
So you will need to manually specify the proxy-id in VPN configs to match 
what Cisco is expecting."

If that is still true I have to wonder why TAC did not tell us that from
the get go. I also find it sad that one cannot just replace a Cisco ASA
head end unit with a SRX as a drop in replacement due to the fact some
customers use cheaper remote vpn routers like netgear which support
policy based vpns but not route-based.

Does anyone know of a work around to make it work?



More information about the juniper-nsp mailing list