> In my experience, I have used a looback interface address of the SRX as > the destination of the GRE tunnel on both sides then just send the /32 > route of the loopback at the other end to the st0.0 address. >
One important thing here. When you use loopback for IPSecs, GRE, iBGP or any other sort of peering, you must keep in mind the traffic by default is first considered to be transit in contrast to the direct interface peering where it's considered local right after it enters the physical interface. So for loopbacks (or any other interface except the one, which the packets come through) you either need to correctly pass packets though the firewall engine (policy-shmolisy, flow sessions, etc) or explicitly bypass it using selective stateless filtering. This is true both for JUNOS Voyager (SRX/J) and ScreenOS (if someone remember that thing) except ScreenOS can (or could? :) not do stateless. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
