SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN Policy conflict for dual tunnels

    Posted 11-14-2011 21:54

    Hello,

     

    I am having an issue with VPN Policy conflicting. To understand - it better lets look at the following:

     

    10.1.1.1 [ ASA ] ======= tunnel ======== [ SRX ] ========== tunnel =========== [ Check Point ] 172.1.1.0

     

    10.1.1.1 needs to be able to reach 172.1.1.0 subnet

     

    Policy on SRX (VPN is policy based)

     

    Policy 1: ASA to SRX (10.1.1.1 --> 172.1.1.0 Accept Encrypt ASA-SRX)

    Policy 2: SRX to CP (10.1.1.1 --> 172.1.1.0 Accept; Encrypt SRX-CP)

     

    The tunnels on both end come up, however traffic is only passed via ASA-SRX as for the tunnel between SRX and CP - the traffic fails (possibly since SRX is encrypting it using Policy-1 instead of Policy-2)

     

    How can we overcome this issue? I was thinking of NATTING 10.1.1.1 on the SRX and have

     

    Policy 2: SRX to CP (NAT_192.1.1.1 --> 172.1.1.0 Accept; Enc; SRX-CP)

     

    Any other suggestions?



  • 2.  RE: VPN Policy conflict for dual tunnels
    Best Answer

    Posted 11-15-2011 02:23

    Hi

     

    What you are trying to acheive is basically a Hub and Spoke VPN. It can only be route-based (with

    vpn attached to unit on st0 interface), not policy based (as I can see you try policy based).

     

    Here's a basic reference

    http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40794.html