[j-nsp] Can I have multiple route-based VPN over multiple st0 interfaces
Hugo Slabbert
hugo at slabnet.com
Thu Nov 2 22:52:49 EDT 2017
On Fri 2017-Nov-03 02:37:30 +0000, M Abdeljawad <eng_mahmood48 at yahoo.com>
wrote:
>Hi
>But the tunnels peering with non juniper firewalls, so I didnt assign st0
>interfaces an IP addresses.And since all st0 interfaces are unnumbered
>then I think one out of them will borrow the external interface IP
>address.
Gotcha. Not a problem:
Just add `family inet` under the st0 units but do not put any addresses on
them. They will be exactly that: IP interfaces with no addresses on them.
They don't pick up any IP address by default. Now, if you're generating IP
unreachables back to the other end, _some_ address will get plopped into
the source IP field, which will follow usual source address selection
criteria for the platform.
If you leave it unnumbered, just put `next-hop st0.x` in your static routes
across to tunnels.
You can actually also cheat and stick whatever /31 you want on there (so
pick something from your internal ranges) and next-hop to an IP in that
subnet (e.g. 192.0.2.0/31 on your side, set 192.0.2.1 as the next-hop for
the route). It's a point-to-point interface, so Junos will just shove the
packet across the interface since it has a connected route for that
next-hop address. The other party doesn't need to have any addresses
configured on a virtual tunnel interface on their end for this to work.
They could even have completely mismatched addresses and it should still
work.
This also means that if you do generate ICMP unreachables back to the other
party across the tunnel, they will be sourced from the IP you stick on the
st0.x interface, in case that helps with any troubleshooting/debugging.
Cheers,
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20171102/b6e037d7/attachment.sig>
More information about the juniper-nsp
mailing list