[j-nsp] Policy-based IPSec tunnel and static routing
Klaus Groeger
klauzi at gmail.com
Fri Nov 22 14:41:12 EST 2013
In policy based VPN just rely on default route, witch points out the interface and zone where the VPN's outgoing interface resides. The packets have to hit the policy between the internal and external zone, then are injected to the VPN. No additional route is needed.
Klaus
—
Sent from Mailbox for iPhone
On Thu, Nov 21, 2013 at 4:29 PM, Per Westerlund <p1 at westerlund.se> wrote:
> Sorry, no automatic route-injection with SRX and policy-based IPsec VPN. The traffic has to be made to "hit" the security policy rules that allows the tunnel traffic, and that is normally manually.
> /Per
> 21 nov 2013 kl. 16:17 skrev Michael Hallgren <m.hallgren at free.fr>:
>> Hi,
>>
>> I ran into the following:
>>
>> In a pretty much standard setup of a policy-based IPSec VPN between a
>> SRX and a cisco ASA, pinging destination behind the SRX worked just
>> fine from behind the ASA, the other way around didn't. Had few static
>> routes set, among them a 0/0 pointing in the direction of the ASA, and a
>> 10/8 pointing at SRX customers. The host behind the ASA, that I couldn't
>> ping was in 10/24, say. Adding a static route 10/24 pointing at the ASA (not
>> at the tunnel endpoint), fixed the flow from SRX to ASA.
>>
>> Was under the impression that policy-based setup is supposed to handle
>> static route injection "auto-magically." What am I missing?
>>
>> Cheers,
>>
>> mh
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list