SRX Services Gateway
SRX Services Gateway

Hub-Spoke VPN config between SRX to cisco & Hp router

‎10-14-2019 01:06 AM

Hi All,

 

Need your help on the below concern.

I need to build Hub- Spoke VPN between head-office and branch offices.

SRX is Hub

Cisco and HP routers are Spoke

Can somebody tell me about the method which i need to follow to build Hub and spoke tunnel and majorly i need to stop creating more config from Hub side for all spokes VPN because we have 1000+ spokes.

2 REPLIES 2
SRX Services Gateway

Re: Hub-Spoke VPN config between SRX to cisco & Hp router

‎10-14-2019 02:40 AM

Are you saying you want to create a vpn without any configuration on one side?

That won't be possible.

 

We can use groups and apply groups to minimize the lines of code but every vpn does need to be created on both sides to establish.

 

What issue are you having on the SRX that limiting code there is needed?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway
Solution
Accepted by topic author Iam_Chethan
‎10-15-2019 12:14 AM

Re: Hub-Spoke VPN config between SRX to cisco & Hp router

‎10-14-2019 10:48 AM

Hi Chetan

 

You can find here a configuration example that can guide you with the SRX configuration; the configuration on the HP and Cisco side will be a normal VPN.

 

https://www.juniper.net/documentation/en_US/junos12.1x44/topics/example/ipsec-hub-and-spoke-configur...

 

However, because your spokes wont be Juniper devices you need to fully understand the concept of the HNTB table:

 

https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/vpn-hub-spoke-nht...

 

After you have reviewed the above data: note that on the SRX you will only use 1 interface (st0) that will be linked to several tunnels hence the NHTB table helps to determine the correct tunnel on which the traffic has to be sent. However the info on the NHTB table has to be manually set by you so the traffic can be sent properly to the HP or Cisco devices. Also note that the routes created on the SRX towards the HP and Cisco devices are dummy routes and are only used to redirect traffic to the proper tunnel (using NHTB) and that the IP addresses used in the routes as next-hops are not required to be configured on the third-party devices.

 

Hope this helps you.

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!