On Mon, Nov 29, 2010 at 6:49 PM, Adam Leff <a...@leff.co> wrote: > Also, for what it's worth, I do have multiple logical interfaces under st0 > (i.e. st0.0 and st0.1) and it is working without requiring NHTB.
Without NHTB? So the "security ipsec vpn XXX" hierarchy has a "bind-interface" statement, but the iff hierarchy under st0 *doesn't* have a "next-hop-tunnel" statement? > Do you have all the pre-requisites set up? i.e. st0.1 in the proper > security zone, a route pointed down st0.1 for the traffic to be tunneled, > etc.? I'm pretty sure everything looks right (but just to me, so it's certainly possible that there's a bug or two in my config). st0.1 is in a security zone that has policies to permit vpn-monitor ICMP traffic, and I'm not even routing over the st0.1 interface yet, just pinging the remote end. Cheers, jof _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp