[j-nsp] M-series IPSEC / SP interface and VRF

Alex Arseniev alex.arseniev at gmail.com
Tue Nov 12 13:24:37 EST 2013 

So, if I understand Your requirement, You want sp-0/0/0.<unit> in VRF, 
correct?
And outgoing GE interface in inet.0?
And where the decrypted packets should be placed, inet.0 or VRF?
And where from the to-be-ecrypted packets should arrive, from inet.0 or VRF?
If the answer is "correct/inet.0/VRF/VRF" then migrate to next-hop-style 
IPSec and place inside sp-* unit into the VRF leaving outside sp-* unit 
in inet.0.
HTH
Thanks
Alex

On 12/11/2013 16:35, Scott Harvanek wrote:
> Alex,
>
> Yea, tried this but it looks like you can't set it to the default 
> inet.0 instance, only to things different... the local gw in my case 
> is in the default instance and I want the service interface in another 
> so unless I'm mistaken it's in default by default and this fails?
>
> Scott H.
>
> On 11/12/13, 11:22 AM, Alex Arseniev wrote:
>> Yes
>>
>> [edit]
>> aarseniev at m120# set services service-set SS1 ipsec-vpn-options 
>> local-gateway ?
>> Possible completions:
>>   <address>            Local gateway address
>>   routing-instance     Name of routing instance that hosts local 
>> gateway <=====!!!! CHECK THIS OUT!!!
>> aarseniev at m120> show version
>> Hostname: m120
>> Model: m120
>> JUNOS Base OS boot [10.4S7.1]
>>
>> HTH
>> Thanks
>> Alex
>>
>> On 12/11/2013 16:05, Scott Harvanek wrote:
>>> Anyone with any ideas on this?
>>>
>>> Scott H.
>>>
>>> On 11/9/13, 12:58 PM, Scott Harvanek wrote:
>>>> Is there a way to build a IPSec tunnel / service interface where 
>>>> the local gateway is NOT in the same routing-instance as the 
>>>> service interface?
>>>>
>>>> Here's what I'm trying to do;
>>>>
>>>> [ router A (SRX) ] == Switch / IS-IS mesh == [ router B m10i ]
>>>> [ st0.0 / VRF ] ================= [ sp-0/0/0.0 / VRF ]
>>>>
>>>> The problem is, I want sp-0/0/0.0 on router B in a VRF but NOT the 
>>>> outside interface on router B, I cannot commit unless the 
>>>> outside/local-gateway on the IPSec tunnel is in the same 
>>>> routing-instance as the service interface, is there a way around 
>>>> this? The SRX devices can do this without issue.
>>>>
>>>> service-set XXXX {
>>>>     interface-service {
>>>>         service-interface sp-0/0/0.0; <-- want this in a VRF
>>>>     }
>>>>     ipsec-vpn-options {
>>>>         local-gateway x.x.x.x; <-- default routing instance
>>>>     }
>>>>     ipsec-vpn-rules XXXX
>>>> }
>>>>
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list