[j-nsp] SRX - multipoint st0 tunnel interface and static route

Mark Menzies mark at deimark.net
Fri Sep 14 04:10:04 EDT 2012 

Have you set up NHTB?  As the other side is non junos, you will need to set
this up manually.  NHTB allows the SRX to decide which VPN to send the
remote traffic down. I will need to check but I am fairly sure that we will
still need to set up routes for the remote nets to send them to st0.

I take it the other side is just set up as a normal policy type VPN and as
such should be looking for the proxy-IDs you have set?

On 13 September 2012 21:48, pkc_mls <pkc_mls at yahoo.fr> wrote:

> Hi all,
>
> I'm running junos 11.4r5 on an SRX210 device.
>
> I configured a multipoint tunnel interface to bind two IPSEC tunnels to
> the same gateway (as multiple proxy IDs are
> not supported yet). The remote gateway is an old sonicwall, and is not
> capable of route based VPNs.
>
> I tried to setup a static route to the remote network, but the route
> doesn't show up.
>
> I found some threads on juniper forums indicating I was not the nly one to
> experience this.
>
> Did anyone find a solution to add a static route via a multipoint tunnel
> interface ?
>
> Is this working on 12.1 ? (I'd like to keep the 11.4, but if 12.1 could
> help ...).
>
>
> my interface configuration :
> root at SRX240# show interfaces st0 unit 0
> multipoint;
> family inet;
>
> my vpn configurations :
> root at SRX240# show security ipsec vpn vpn1
> bind-interface st0.0;
> ike {
>     gateway gw1
>     proxy-identity {
>         local 10.1.1.0/24;
>         remote 192.168.1.0/28;
>     }
>     ipsec-policy policy1;
> }
>
> root at SRX240# show security ipsec vpn vpn2
> bind-interface st0.0;
> ike {
>     gateway gw1
>     proxy-identity {
>         local 10.1.2.0/24;
>         remote 192.168.1.0/28;
>     }
>     ipsec-policy policy1;
> }
>
> does anyone know how to configure multiple proxy id or have a static route
> with a multipoint tunnel interface ?
>
> thanks.
> ______________________________**_________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>

More information about the juniper-nsp mailing list