[j-nsp] SRX100 for dual 100M uplink routing network in packet mode.
Phil Mayers
p.mayers at imperial.ac.uk
Wed Nov 28 07:40:11 EST 2012
On 28/11/12 11:24, Mike Williams wrote:
> On Tuesday 27 November 2012 23:08:04 Michel de Nostredame wrote:
>> PS: I just got a SRX100 and am going to do some POC with
>> selective-packet-mode. Basically I want to route my traffic into GRE
>> tunnel in packet-mode and route GRE packet over IPsec to remote SSG
>> site in flow-mode because IPsec needs flow module. Hopefully this can
>> suppress my session-table usage to only one for two records. I hate
>> flow-mode JUNOS for a long long long time since J-series, but the SRX
>> prices are simply irresistible.
>
> Michel,
> We wanted to do that with some SRX650s.
> Doesn't work. Sorry.
>
> Seems like some flag is on the packet saying it's packet-mode, which isn't
> removed/reset when it's wrapped in a GRE header, so IPSec sees a packet-mode
> packet and drops it.
>
> This was with 10.4R6.5, we didn't get the chance to try anything newer.
Have you seen this:
http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
I have successfully used an SRX 210 in packet mode and flow mode, to do
MPLS-over-GRE-over-IPSEC.
More information about the juniper-nsp
mailing list