Also, for what it's worth, I do have multiple logical interfaces under st0 (i.e. st0.0 and st0.1) and it is working without requiring NHTB. This is on a J-series running 9.6R4.4, not an SRX, so I can't speak to your specific setup.
Do you have all the pre-requisites set up? i.e. st0.1 in the proper security zone, a route pointed down st0.1 for the traffic to be tunneled, etc.? ~Adam On Mon, Nov 29, 2010 at 9:45 PM, Adam Leff <a...@leff.co> wrote: > Jonathan- > > I believe you need to look into NHTB (Next-Hop Tunnel Binding) that will > allow you to use the one st0.0 interface but bind multiple tunnels. > > Check out the following doc: > http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-40796.html > > ~Adam > > > On Mon, Nov 29, 2010 at 7:51 PM, Jonathan Lassoff <j...@thejof.com> wrote: > >> I'm trying to setup an SRX in my office as a branch office with two >> ISP connections, and I'd like to run an IPSec path over each back to >> our datacenter. Ideally, I could terminate each tunnel on a separate >> st0 unit (ifl's of st0.0 and st0.1), but it seems that JunOS will only >> try to establish IPSec SPIs for VPNs that are bound to st0.0. I had a >> second bound to st0.1, but it would never even try to send IKE traffic >> to start the connection. >> >> So, I've got some failover working now by doing hub-and-spoke (in a >> bit of a reverse fashion: one device at the datacenter, two paths to >> the branch device) style config -- both VPNs are tied to st0.0 which >> is configured as a multipoint interface. My only trouble now is >> directing st0.0 traffic down a specific interface, it seems like there >> isn't a way to tell it which VPN tunnel to prefer for sending traffic >> down. >> >> Any ideas or opinions on what the right way to do this is? I feel like >> two separate st0 units makes the most sense, but it's stumping me as >> to why it never tries to establish a session. >> >> Cheers, >> jof >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp