SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Route-Based VPNs - Same Subnet Required?

    Posted 05-11-2011 17:14

    I'm new to VPNs, and I heard that to setup a route-based vpn on either end, both ends must be in the same subnet.  Could someone please confirm if this is true and explain why to me?  Thank you.



  • 2.  RE: Route-Based VPNs - Same Subnet Required?

    Posted 05-11-2011 17:53

    Hi,


    That is untrue.  You can NAT a VPN that overlaps, but it's not required.  It's alot easier when the two sites are not on the same subnet.  The Concepts & Examples guide has some good examples.

     

    I hope this helps.

     

    John



  • 3.  RE: Route-Based VPNs - Same Subnet Required?
    Best Answer

    Posted 05-11-2011 23:46

    Hi

     

    Probarbly, what you've heard was: tunnel interface ip addresses should be in the same subnet.

    For example, st0.0 on one side has 10.0.0.1/24 and st0.0 on the other side has 10.0.0.2/24

    In this case route to 10.0.0.0/24 will be added to routing table automatically, pointing

    to the tunnel, and the ip of the other tunnel interface will be available (for pings, etc.)

    without any additional config. Note that st0.0 can be even unnumbered: just configure

    family inet, with no address. It will work.

     

    But protected subnets behind different firewalls should be in different ip subnets - firewall72

    is right, this is the best design.