[j-nsp] SRX Site-to-Site Question

Pavel Lunin plunin at senetsy.ru
Sat Jan 21 03:47:47 EST 2012


> In my experience, I have used a looback interface address of the SRX as
> the destination of the GRE tunnel on both sides then just send the /32
> route of the loopback at the other end to the st0.0 address.
>

One important thing here. When you use loopback for IPSecs, GRE, iBGP or
any other sort of peering, you must keep in mind the traffic by default is
first considered to be transit in contrast to the direct interface peering
where it's considered local right after it enters the physical interface.
So for loopbacks (or any other interface except the one, which the packets
come through) you either need to correctly pass packets though the firewall
engine (policy-shmolisy, flow sessions, etc) or explicitly bypass it using
selective stateless filtering. This is true both for JUNOS Voyager (SRX/J)
and ScreenOS (if someone remember that thing) except ScreenOS can (or
could? :) not do stateless.


More information about the juniper-nsp mailing list