Jonathan- I believe you need to look into NHTB (Next-Hop Tunnel Binding) that will allow you to use the one st0.0 interface but bind multiple tunnels.
Check out the following doc: http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40796.html ~Adam On Mon, Nov 29, 2010 at 7:51 PM, Jonathan Lassoff <j...@thejof.com> wrote: > I'm trying to setup an SRX in my office as a branch office with two > ISP connections, and I'd like to run an IPSec path over each back to > our datacenter. Ideally, I could terminate each tunnel on a separate > st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only > try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a > second bound to st0.1, but it would never even try to send IKE traffic > to start the connection. > > So, I've got some failover working now by doing hub-and-spoke (in a > bit of a reverse fashion: one device at the datacenter, two paths to > the branch device) style config -- both VPNs are tied to st0.0 which > is configured as a multipoint interface. My only trouble now is > directing st0.0 traffic down a specific interface, it seems like there > isn't a way to tell it which VPN tunnel to prefer for sending traffic > down. > > Any ideas or opinions on what the right way to do this is? I feel like > two separate st0 units makes the most sense, but it's stumping me as > to why it never tries to establish a session. > > Cheers, > jof > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp