SRX Services Gateway
SRX Services Gateway

Route-based VPN

04.30.17   |  
‎04-30-2017 10:00 AM

when using point-tpoint VPN is it a must that both st0 interface be in the same subnet ???

when using multi point VPN is it a must that all st0 interfaces be in the same subnet ???

3 REPLIES
SRX Services Gateway

Re: Route-based VPN

04.30.17   |  
‎04-30-2017 11:11 AM

Yes, when doing the route based vpn you should think of the  links between the tunnel interfaces as if they were connected physical interfaces. 

 

So for the point-to-point links are in the same subnet.

 

And the the multi-point links all vpn interfaces are in the same broadcast domain and subnet.

 

This allows normal routing protocols like OSPF then to work for the segment you connect.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Route-based VPN

04.30.17   |  
‎04-30-2017 11:20 AM

Dear Steve,

thx for you r replay

please i have one more issue, is that when i was wtuding GRE over IPSEC configuration i found that they are using st0 (un-number) which was very confusing

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19372&actp=METADATA

Highlighted
SRX Services Gateway

Re: Route-based VPN

04.30.17   |  
‎04-30-2017 11:26 AM

You only need to use GRE over IPSEC if you are connecting to another vendor that requires GRE encapsulation.  Juniper and many other vendors support having broadcast traffic like OSPF directly over IPSEC without further tunneling.

 

That GRE over IPSEC is mainly used with older Cisco versions that required the double tunnel.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home