I have two SSGs each running BGP on the TRUST interface. A route based VPN tunnel between the two units bound to a tunnel interface bound to the UNTRUST interface. BGP is not running on the UNTRUST interface, but is on the TUN interface. Neigh peering to the internal peers is fine, but I cannot establish peering via the tunnel. The neigh are defined to the TRUST interfaces and policy allows traffic.
I have read a few forum posts about using numbered tunnel interfaces for dynamic routing, is this the right way? Should my setup be numbered tun interfaces and peering with those interfaces?
Re: BGP via Unumbered Tunnel interface between 2 ssg5
I don't think it is required that your tunnel interface have an ip address, but it would certainly be more common. Check out the Concepts and examples guide Volume 5 VPN. There are some samples of using BGP over VPN tunnels.
The primary item to note is that you need a static route on each remote site to the neighbor router that uses the VPN tunnel for access. This allows them to discover and have the neighbor relationship. Just create a /32 static route to the neighbor using the tunnel interface on each side.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home