SRX

Hi All,

Need your help on the below concern.

I need to build Hub- Spoke VPN between head-office and branch offices.

SRX is Hub

Cisco and HP routers are Spoke

Can somebody tell me about the method which i need to follow to build Hub and spoke tunnel and majorly i need to stop creating more config from Hub side for all spokes VPN because we have 1000+ spokes.

Are you saying you want to create a vpn without any configuration on one side?

That won't be possible.

We can use groups and apply groups to minimize the lines of code but every vpn does need to be created on both sides to establish.

What issue are you having on the SRX that limiting code there is needed?

Hi Chetan

You can find here a configuration example that can guide you with the SRX configuration; the configuration on the HP and Cisco side will be a normal VPN.

https://www.juniper.net/documentation/en_US/junos12.1x44/topics/example/ipsec-hub-and-spoke-configuring.html

However, because your spokes wont be Juniper devices you need to fully understand the concept of the HNTB table:

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/vpn-hub-spoke-nhtb-example-overview.html

After you have reviewed the above data: note that on the SRX you will only use 1 interface (st0) that will be linked to several tunnels hence the NHTB table helps to determine the correct tunnel on which the traffic has to be sent. However the info on the NHTB table has to be manually set by you so the traffic can be sent properly to the HP or Cisco devices. Also note that the routes created on the SRX towards the HP and Cisco devices are dummy routes and are only used to redirect traffic to the proper tunnel (using NHTB) and that the IP addresses used in the routes as next-hops are not required to be configured on the third-party devices.

Hope this helps you.