[j-nsp] VPN from SRX to CIsco with more than subnet locally

Anton Yurchenko ayurchenko at gmail.com
Wed Jan 16 11:46:41 EST 2013


Juniper solution is to either set up multiple tunnels, one for each 
proxy-id, or to convert the remote side to route-based VPN.
On the Cisco side it is implemented via VTI, for IPSec traffic have a 
tunnel interface like GRE tunnel and place traffic onto it via routing 
instead of crypto-maps. Very similar to Juniper.
http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html
http://x443.wordpress.com/2011/11/03/route-based-vpn-between-juniper-and-cisco/

On 1/16/13 5:25 AM, Robert Hass wrote:
> Hi
>
> I have VPN between Cisco 2900 and SRX 240. VPN is working good, but guys
> on Cisco side would like to have also access to my second subnet
> 10.16.0.0/24
>
> How to handle this on SRX side ? I can have only one possition at
> proxy-identity local
>
> My config:
>
> set security ipsec vpn TEST ike proxy-identity local 10.0.0.0/24
> set security ipsec vpn TEST ike proxy-identity remote 192.168.0.0/24
>
> Cisco NEW config:
>
> access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
> access-list 100 permit ip 192.168.0.0 0.0.0.255 10.16.0.0 0.0.0.255
> <-- this added
>
>
> Rob
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list