SRX

Hi

I have SRX and want to setup Site-Site VPN with another vendor (Cisco), but i have the following conditions;

-  I have more than one site to create VPN with it.

- There are multible subnets on each VPN tunnel.

- The private Subnets are overlapping (so i have to use NAT over the VPN).

based on this i think that i have to go with route based VPN (due to the required NATing), am i right?

if so then i have to create multi proxy IDs for each tunnel, but its not supported.

is there ane idea about this case??

Regards

Mahmoud

Hi Mehmood,

For overlapping subnets Nat yes you need to go for Route Based VPN.

You can simply ignore proxy-id configuration parameter or use 0.0.0.0 this should eliminate issue of using single subnet over single vpn.

Please let me know if this answer is enough for your understanding or we can discuss this in detail.

Regards,

Hassan

but the other sides are not juniper, so i cant use 0.0.0.0 as a proxy id, because cisco VPN works by creating separate SA for each communicating subnets.

Hi Mahmood,

If you have Cisco on the other side then you will have to go for multiple VPN's.

- You can have one IKE gateways (phase1) for each.

-Use that gateway in each vpn (phase 2) configuration with different proxy-id's.

Regards,

Hassan

Hi Hassan

in phase2 there is proposal, policy, and vpn settings.

so can i create one proposal and one policy then share them between the multible VPNs?

Regards

Mahmoud