[j-nsp] Policy-based IPSec tunnel and static routing
Michael Hallgren
m.hallgren at free.fr
Thu Nov 21 10:54:41 EST 2013
Le 21/11/2013 16:28, Per Westerlund a écrit :
> Sorry, no automatic route-injection with SRX and policy-based IPsec VPN. The traffic has to be made to "hit" the security policy rules that allows the tunnel traffic, and that is normally manually.
I see. Explains what I saw then.
Thanks, med vänlig hälsning,
mh
>
> /Per
>
> 21 nov 2013 kl. 16:17 skrev Michael Hallgren <m.hallgren at free.fr>:
>
>> Hi,
>>
>> I ran into the following:
>>
>> In a pretty much standard setup of a policy-based IPSec VPN between a
>> SRX and a cisco ASA, pinging destination behind the SRX worked just
>> fine from behind the ASA, the other way around didn't. Had few static
>> routes set, among them a 0/0 pointing in the direction of the ASA, and a
>> 10/8 pointing at SRX customers. The host behind the ASA, that I couldn't
>> ping was in 10/24, say. Adding a static route 10/24 pointing at the ASA (not
>> at the tunnel endpoint), fixed the flow from SRX to ASA.
>>
>> Was under the impression that policy-based setup is supposed to handle
>> static route injection "auto-magically." What am I missing?
>>
>> Cheers,
>>
>> mh
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list