SRX

Hello,

I have tried to figure out by reading the manual, but I am still unsure,so I was hoping to get hold of a valid example.

Situation:

Site a: 1.1.0.0/16 and 2.2.0.0/16 Juniper SRX in chassis cluster, official IP 20.21.22.23

Site b: 3.3.0.0/16 and 4.4.0.0/16 Checkpoint, official IP 24.25.26.27

Need/want to connect over internet using the official IP using VPNs.

We seem to have awoken the strange gods of VPNs,and get security associations using proxyids

using four VPNs,

st0.2 proxy 1.1.0.0 to 3.3.0.0

st0.3 proxy 2.2.0.0 to 3.3.0.0

st0.4 proxy 1.1.0.0 to 4.4.0.0

st0.5 proxy 2.2.0.0 to 4.4.0.0

And using any/any/any policies I can get traffic across the first and third, using static routes like

route 3.3.0.0 next-hop st0.2

route 4.4.0.0 next-hop st0.4

Coming from a screenos background, I thought it would be a not terribly difficult matter to build source routing

steering traffic from 2.2.0.0 to the odd numbered interfaces, but I am stumped.

Do I use policy-filter, routing policies or something else ?

How would such a solution look ?

( Keep in mind, there are actually more than two nets in each direction, but not very many more. ( 3 and 8 ) )

Thankful for any help,

Tommy

you have to use filter based forwarding (this is the policy based routing on junos).

there are some examples on kb.juniper.net (search for srx dual isp and adapt the config).

Hi,

Thanks for your answer.

I will have to read up on what the different commands mean.

Regards,

Tommy

If I recall correctly there is still a limitation on the SRX platform that VPNs must be terminated in the inet routing instance.

The outgoing interface must be in the default routing instance. The tunnel Interface itself (st0.x) can be in a differnet instance.

Regards,

Dominik