> This is a common problem. Essentially, Cisco creates a separate SA for each > subnet pairing (i.e Proxy-ID). Therefore since there will be multiple > Proxy-IDs which you need to support, the Route-Based VPN is pretty much out > of the question, as you've surmised. You can use a policy-based VPN and > simply create separate policies for the various traffic you will need to > tunnel. Make sure the source and destination addresses in your policies > match that of the Proxy-IDs on the Cisco side, as the Proxy-IDs are > automatically derived from the policy in a policy-based VPN in Juniper.
We have gone down that road but it seems that the local BGP process does not get proccessed by the inter-area policy (in my case trust to untrust) and so does not go down the IPSEC tunnel. It seems that on the SRX/J-ES that the only way to get this to work is to route-based VPN (which we are back at the proxy-id support) -Brandon _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
