[j-nsp] SRX100 for dual 100M uplink routing network in packetmode.
Caillin Bathern
caillinb at commtelns.com
Wed Nov 28 07:43:26 EST 2012
Hi Mike,
I must disagree here, although I never verified it myself a Juniper
Engineer I know did show me some in production configurations showing
MPLS over GRE over IPSec on a single branch router (I think J not SRX)
so it is possible. This was on 10.3R1.9. You must use the lt-0/0/0
interface to send the GRE packets into a separate virtual router for
encryption/transport over IPSec as this clears the packet-mode flag.
Cheers,
Caillin
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Mike Williams
Sent: Wednesday, 28 November 2012 10:25 PM
To: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SRX100 for dual 100M uplink routing network in
packetmode.
On Tuesday 27 November 2012 23:08:04 Michel de Nostredame wrote:
> PS: I just got a SRX100 and am going to do some POC with
> selective-packet-mode. Basically I want to route my traffic into GRE
> tunnel in packet-mode and route GRE packet over IPsec to remote SSG
> site in flow-mode because IPsec needs flow module. Hopefully this can
> suppress my session-table usage to only one for two records. I hate
> flow-mode JUNOS for a long long long time since J-series, but the SRX
> prices are simply irresistible.
Michel,
We wanted to do that with some SRX650s.
Doesn't work. Sorry.
Seems like some flag is on the packet saying it's packet-mode, which
isn't removed/reset when it's wrapped in a GRE header, so IPSec sees a
packet-mode packet and drops it.
This was with 10.4R6.5, we didn't get the chance to try anything newer.
--
Mike Williams
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and
content filtering.http://www.mailguard.com.au/mg
More information about the juniper-nsp
mailing list