[j-nsp] VPN from SRX to CIsco with more than subnet locally

Pavel Lunin plunin at senetsy.ru
Wed Jan 16 12:24:59 EST 2013


16.01.2013 20:46, Anton Yurchenko wrote:
> Juniper solution is to either set up multiple tunnels, one for each
> proxy-id, or to convert the remote side to route-based VPN.
> On the Cisco side it is implemented via VTI, for IPSec traffic have a
> tunnel interface like GRE tunnel and place traffic onto it via routing
> instead of crypto-maps. Very similar to Juniper.
> http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html
>
> http://x443.wordpress.com/2011/11/03/route-based-vpn-between-juniper-and-cisco/
>

Despite this is pretty obvious and elegant, it's a very common case when
you can't do this for whatever reason. E. g. older IOS could not do VTI
without GRE but SRX cluster could not do GRE until very recent; remote
peer is just too dumb, etc. Sometimes remote side just won't switch to
route-based because they don't know how to or it's a NOC shift with
strict config guidelines that they can break. A very straightforward
workarond for such cases is to add another tunnel to the same peer for
the second pair of subnets. But it requires another global address on
one side.


More information about the juniper-nsp mailing list