SRX

Hi,

I have 2 subnet at source site and 1 subnet at remote site.

Source site has SRX and remote ISA.

I am using route based VPN with unnumbered tunnel interface.

It works fine with one subnet, but fails with multiple subnets. I read lots of issues with this when we have non-juniper device at other end.

How can we nake this work with route based vpn.

Raj

Hi Raj,

I would recommend trying a single gateway with multiple VPN's (SA's).  This is the way we typically would build VPN's to third party hardware.  If you run into an issue, post your config.

John

U mean to say

2 sa for different proxy id ( source ) and bind both with same st0.0 interface.

It tried this and it asks for multipoint..i enabled but still doesnt work.

raj

1. you can craete a single tunnel, set proxy-ids as 0.0.0.0 and then control the traffic through ACL implemented in security policies

2. If you want to create two separate pt-to-pt tunnels, st0.0 and st0.1 should be used on two ends of VPN

regards

Hello Sir,

I have a problem, Already I have a vpn between my office and a remote area, my office uses srx650 firewall and the remote side uses cisco 2911;

Details of the existing VPNs: Route base vpn

Office:                                                                                    Remote Office:

edge IP: 41.206.2.121/30                                                  Edge IP: 41.58.110.110/32

host Ip: 41.206.29.10/32                                                     host Ip:   41.58.110.110/32

I have another server (main office) that i want to access another server in the remote office using the same tunnel

Details:

host ip: 41.206.29.20/32                                                       host Ip:  41.58.110.105/32

This is the case of multiple subnets on both the remote and main office, so my question pls how do I set up the configuration...please help

Hi, did you get a resolution for your multiple subnets requirements at both sites?

With 2 subnets at source site and one subnet at remote site you are looking at using NHTB in conjunction w/ FBF. http://kb.juniper.net/kb/documents/public/junos/jsrx/JSeries_SRXSeries_Multipoint_VPN_with_NHTB_12.pdf explains the basic setup - 1 subnet at source site and two subnets at remote site. Your setup will be similar, just that you can't use destination-based routing. You'll need to use FBF (filter-based-forwarding) to make a routing decision on the source subnet.

Your st0.0 interface will gain an IP address. Choose a mask large enough to handle some expansion (additional subnets) in future. You will route to a "next-hop" that is entirely virtual: The routing decision is needed only to decide which Phase 2 SA ("VPN") to use. So, for example, I could configure my tunnel i/f as 172.16.1.1/24, and route to 172.16.1.2 and 172.16.1.3 for my two SAs that have the correct proxy IDs to match the traffic. The .2 and .3 addresses aren't configured anywhere, they don't actually exist on the remote site and don't need to exist on the remote site.

This is only necessary when the remote site does not support using one proxy ID for all traffic through the tunnel. Cisco PIX/ASA is notorious for this.