[j-nsp] Policy-based IPSec tunnel and static routing

Michael Hallgren m.hallgren at free.fr
Fri Nov 22 15:26:50 EST 2013


Le 22/11/2013 20:41, Klaus Groeger a écrit :
> In policy based VPN just rely on default route, witch points out the
> interface and  zone where the VPN's outgoing interface resides. The
> packets have to hit the policy between the internal and external zone,
> then are injected to the VPN. No additional route is needed.

Hi Klaus,

OK, but does it rely on 0/0 _only_. What I saw appears to be a counter
example, in the context of
internal static route set and external route being a subnetwork of this
internal one. ;-)

Cheers,

mh
 
>
> Klaus
>> Sent from Mailbox <https://www.dropbox.com/mailbox> for iPhone
>
>
> On Thu, Nov 21, 2013 at 4:29 PM, Per Westerlund <p1 at westerlund.se
> <mailto:p1 at westerlund.se>> wrote:
>
>     Sorry, no automatic route-injection with SRX and policy-based
>     IPsec VPN. The traffic has to be made to "hit" the security policy
>     rules that allows the tunnel traffic, and that is normally manually.
>
>     /Per
>
>     21 nov 2013 kl. 16:17 skrev Michael Hallgren <m.hallgren at free.fr>:
>
>     > Hi,
>     >
>     > I ran into the following:
>     >
>     > In a pretty much standard setup of a policy-based IPSec VPN
>     between a
>     > SRX and a cisco ASA, pinging destination behind the SRX worked just
>     > fine from behind the ASA, the other way around didn't. Had few
>     static
>     > routes set, among them a 0/0 pointing in the direction of the
>     ASA, and a
>     > 10/8 pointing at SRX customers. The host behind the ASA, that I
>     couldn't
>     > ping was in 10/24, say. Adding a static route 10/24 pointing at
>     the ASA (not
>     > at the tunnel endpoint), fixed the flow from SRX to ASA.
>     >
>     > Was under the impression that policy-based setup is supposed to
>     handle
>     > static route injection "auto-magically." What am I missing?
>     >
>     > Cheers,
>     >
>     > mh
>     > _______________________________________________
>     > juniper-nsp mailing list juniper-nsp at puck.nether.net
>     > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>     _______________________________________________
>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>



More information about the juniper-nsp mailing list