[j-nsp] M-series IPSEC / SP interface and VRF
Scott Harvanek
scott.harvanek at login.com
Sat Nov 9 12:58:29 EST 2013
Is there a way to build a IPSec tunnel / service interface where the
local gateway is NOT in the same routing-instance as the service interface?
Here's what I'm trying to do;
[ router A (SRX) ] == Switch / IS-IS mesh == [ router B m10i ]
[ st0.0 / VRF ] ================= [ sp-0/0/0.0 / VRF ]
The problem is, I want sp-0/0/0.0 on router B in a VRF but NOT the
outside interface on router B, I cannot commit unless the
outside/local-gateway on the IPSec tunnel is in the same
routing-instance as the service interface, is there a way around this?
The SRX devices can do this without issue.
service-set XXXX {
interface-service {
service-interface sp-0/0/0.0; <-- want this in a VRF
}
ipsec-vpn-options {
local-gateway x.x.x.x; <-- default routing instance
}
ipsec-vpn-rules XXXX
}
--
Scott H.
More information about the juniper-nsp
mailing list