I am pretty new to Juniper hardware. I have a NS-5GT that I would like to establish a VPN with to a NS204. I've gotten the configs from other devices and I've been able to setup the policy based vpn and I believe it is working ok execpt for one little problem.
We've typically carved off a small subnet for VPN clients. (/28 network) I have a pre-existing network in place and I would like to blend the two together and I'm unsure how. (Or even if it is possible.)
I have a 192.168.0.1/24 network at home and my overall goal would be to map a few of the address I have to the 192.168.3.240/28 network I can use. I'll need to be able to talk to others on the 192.168.3.x/28 network so I can't use the whole range for myself.
For example, I want to map my PC (192.168.0.5) to 192.168.3.250. To me this would provide a high level of security because that way my PC's wouldn't be able to talk to work without explicit definiton and work wouldn't be able to talk to my network.
I am curious. Why use a policy-based VPN? Based on your needs, a route-based VPN might make more sense. That way you can configure a MIP on the tunnel interface to handle the NAT. Is there a reason why you cannot use route-based?
The main reason is keeping with the standard. We have quite a few vpn's setup this way, I just happen do have a fairly large network at home and would like to have access limited to the devices I want and not have to change my ip scheme. I have limited control on what I can do at one end. My end I have much greater control.
Since you are able to control your end, then why not change your end to a route-based. You can have route-based on one side and policy-based on the other. Just be sure to configure proper proxy-id on the route-based side to match the proxy-id sent from the policy-based side. Then you would be free to configure NAT on the tunnel interface.