[j-nsp] M-series IPSEC / SP interface and VRF
Scott Harvanek
scott.harvanek at login.com
Tue Nov 12 13:34:56 EST 2013
Yep excellent, I'll give it a whirl, thanks!
Scott H.
On 11/12/13, 1:24 PM, Alex Arseniev wrote:
> So, if I understand Your requirement, You want sp-0/0/0.<unit> in VRF,
> correct?
> And outgoing GE interface in inet.0?
> And where the decrypted packets should be placed, inet.0 or VRF?
> And where from the to-be-ecrypted packets should arrive, from inet.0
> or VRF?
> If the answer is "correct/inet.0/VRF/VRF" then migrate to
> next-hop-style IPSec and place inside sp-* unit into the VRF leaving
> outside sp-* unit in inet.0.
> HTH
> Thanks
> Alex
>
> On 12/11/2013 16:35, Scott Harvanek wrote:
>> Alex,
>>
>> Yea, tried this but it looks like you can't set it to the default
>> inet.0 instance, only to things different... the local gw in my case
>> is in the default instance and I want the service interface in
>> another so unless I'm mistaken it's in default by default and this
>> fails?
>>
>> Scott H.
>>
>> On 11/12/13, 11:22 AM, Alex Arseniev wrote:
>>> Yes
>>>
>>> [edit]
>>> aarseniev at m120# set services service-set SS1 ipsec-vpn-options
>>> local-gateway ?
>>> Possible completions:
>>> <address> Local gateway address
>>> routing-instance Name of routing instance that hosts local
>>> gateway <=====!!!! CHECK THIS OUT!!!
>>> aarseniev at m120> show version
>>> Hostname: m120
>>> Model: m120
>>> JUNOS Base OS boot [10.4S7.1]
>>>
>>> HTH
>>> Thanks
>>> Alex
>>>
>>> On 12/11/2013 16:05, Scott Harvanek wrote:
>>>> Anyone with any ideas on this?
>>>>
>>>> Scott H.
>>>>
>>>> On 11/9/13, 12:58 PM, Scott Harvanek wrote:
>>>>> Is there a way to build a IPSec tunnel / service interface where
>>>>> the local gateway is NOT in the same routing-instance as the
>>>>> service interface?
>>>>>
>>>>> Here's what I'm trying to do;
>>>>>
>>>>> [ router A (SRX) ] == Switch / IS-IS mesh == [ router B m10i ]
>>>>> [ st0.0 / VRF ] ================= [ sp-0/0/0.0 / VRF ]
>>>>>
>>>>> The problem is, I want sp-0/0/0.0 on router B in a VRF but NOT the
>>>>> outside interface on router B, I cannot commit unless the
>>>>> outside/local-gateway on the IPSec tunnel is in the same
>>>>> routing-instance as the service interface, is there a way around
>>>>> this? The SRX devices can do this without issue.
>>>>>
>>>>> service-set XXXX {
>>>>> interface-service {
>>>>> service-interface sp-0/0/0.0; <-- want this in a VRF
>>>>> }
>>>>> ipsec-vpn-options {
>>>>> local-gateway x.x.x.x; <-- default routing instance
>>>>> }
>>>>> ipsec-vpn-rules XXXX
>>>>> }
>>>>>
>>>>
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list