[j-nsp] IPSec Tunnel between Remote office and main Office

Muhammad Atif Jauhar atif.jauhar at gmail.com
Tue Feb 19 05:16:30 EST 2013


Hi,

One of our client has currently below topology to connect all remote sides
to main office.



Remote Site-1(SRX240) ----------------------E1----------------- Router
--------------GE----------------- Main Office (SRX 650)

         |

         |

         |
Remote Site-x(SRX240) ----------------------E1------------------------

Following are other part of configuration:

1. All devices running RIP because Router is very old and need extra
support license for OSPF.
2. Route based IPSec tunnel is configured between both Remote site SRX240
and SRX650.
3. All E1 links on remote side and Ge link between SRX650 are in Untrust
Zone
4. All st interfaces are in VPN Zone, LAN interfaces are in Trust Zone.
5. Policies are allowed between different sources and destination between
VPN and Trust Zone.
6. Traffic is denied between Untrust and VPN/Trust Zone.

Client want to remove Router from topology and connect of E1 links on
SRX650.

We have perform following steps to migrate one link for testing:

1. Remove E1 link from router and connect it to SRX650.
2. Put above E1 link in RIP and Untrust Zone.
3. Put Routing Policies on SRX650 E1 link in RIP to stop learning Trust
subnets of remote office from E1 link. So that only routes will learn from
St link.
3. We didn't change any VPN configuration on both side and IPSec tunnel is
comes up and also traffic is passing.
           External interface in VPN Configuration on SRX650 still is Ge
interface
           VPN IKE Gateway on Remote site is same Ge interface IP on SRX650.

We observe following thing:





-- 
Regards,

Muhammad Atif Jauhar
(+966-56-00-04-985)


More information about the juniper-nsp mailing list