ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

BGP via Unumbered Tunnel interface between 2 ssg5

‎10-13-2011 09:48 AM

Group -


I have two SSGs each running BGP on the TRUST interface.  A route based VPN tunnel between the two units bound to a tunnel interface bound to the UNTRUST interface.  BGP is not running on the UNTRUST interface, but is on the TUN interface.  Neigh peering to the internal peers is fine, but I cannot establish peering via the tunnel. The neigh are defined to the TRUST interfaces and policy allows traffic.  


I have read a few forum posts about using numbered tunnel interfaces for dynamic routing, is this the right way?  Should my setup be numbered tun interfaces and peering with those interfaces?


Please advise

Chris McDaniel
ScreenOS Firewalls (NOT SRX)

Re: BGP via Unumbered Tunnel interface between 2 ssg5

‎10-14-2011 03:43 PM

I don't think it is required that your tunnel interface have an ip address, but it would certainly be more common.  Check out the Concepts and examples guide Volume 5 VPN.  There are some samples of using BGP over VPN tunnels.


The primary item to note is that  you need a static route on each remote site to the neighbor router that uses the VPN tunnel for access.  This allows them to discover and have the neighbor relationship.  Just create a /32 static route to the neighbor using the tunnel interface on each side.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)