> -----Original Message----- > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > boun...@puck.nether.net] On Behalf Of Brandon Bennett > Sent: Tuesday, February 02, 2010 11:16 PM > To: juniper-nsp > Subject: [j-nsp] SRX/J VPN BGP with multiple proxy-ids > > I have a unique situaion where I cam trying to bring up an IPSec VPN on > a > J-series running 10.0. > > The VPN is terminated on an IOS device on the far end and has multiple > proxy-ids but i also need to run local BGP across the VPN (probably a > pretty > unique situation). > > It seems that a route-based VPN will support BGP but only a single > proxy-id > is supported. > > A policy-based VPN will support mutliple proxy-ids but it seems that > BGP > doesn't go through the policy so it will not come up. > > Does anyone know of any work arounds to either have multiple proxy-ids > with > route-based vpns (desirable) or configure BGP to be proccessed by the > zone > policies?
This is a common problem. Essentially, Cisco creates a separate SA for each subnet pairing (i.e Proxy-ID). Therefore since there will be multiple Proxy-IDs which you need to support, the Route-Based VPN is pretty much out of the question, as you've surmised. You can use a policy-based VPN and simply create separate policies for the various traffic you will need to tunnel. Make sure the source and destination addresses in your policies match that of the Proxy-IDs on the Cisco side, as the Proxy-IDs are automatically derived from the policy in a policy-based VPN in Juniper. HTHs. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp