[j-nsp] SRX - multipoint st0 tunnel interface and static route

Per Westerlund p1 at westerlund.se
Fri Sep 14 12:33:49 EDT 2012 

Note that in this specific case, it is not two different remote sites but one remote site with a single address space. The problem is that we locally have two networks, and the other side can only do policy based tunnels.

There are two ways to solve this:

1) Use policy based VPN as well. Works well, but hides the routing in the policies.

2) User tunnel interfaces and solve the egress problem with FBF/SBR. More complex setup, but obvious routing.

I personally prefer tunnel interfaces all the time (almost) because then the routing part and the firewall/policy part are separated. You can always do a "show route <prefix>" and se what is going on (barring NAT, of course). However, you end up with a separate local routing instance for each distinct local prefix.

In this specific case (not in general) I would try to talk to the other side and see if they can change their setup to use 10.1.0.0/16 in their Proxy-ID. Then the problem would be solved! One proxy-ID, one tunnel, no FBF/SBR.

/Per

14 sep 2012 kl. 18:17 skrev Mark Menzies:

> Yup, what he said  :)
> 
> It will mean though that you will need 2 tunnel interfaces to place into 2 different routing instances.
> 
> This can be a little complicated but we dont really have many options if the 2 remote sites have the same addressing scheme.
> 
> HTH
> 
> On 14 September 2012 15:59, Per Westerlund <p1 at westerlund.se> wrote:
> Yes, static routes work. What happens is that you put the two tunnels in different routing instances. The static route/routes used in each routing instance are completely independent of each other.
> 
> /Per
> 
> 14 sep 2012 kl. 15:55 skrev pkc_mls:
> 
> > Le 14/09/2012 2:55, Per Westerlund a écrit :
> >> The only way to handle this that I know of is FBF, in this case to implement source-based-routing. You have to pick a different tunnel depending on which source address you see.
> >>
> >> I don't have access to my systems right now so I can't send an example, but there are plenty of examples on either in Juniper KB or Juniper forums. The common use case is with 2 default routes to 2 different ISPs, and having to chose one or the other based on what local IP address is used.
> >>
> >> /Per Westerlund
> >>
> >>
> > Do you know if the static nat will work in such a scenario, because I have a lot of static nat rules configured
> > for traffic through this tunnel ?
> >
> > It becomes complicated for a simple multi proxy ID configuration.
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list