16.01.2013 20:46, Anton Yurchenko wrote: > Juniper solution is to either set up multiple tunnels, one for each > proxy-id, or to convert the remote side to route-based VPN. > On the Cisco side it is implemented via VTI, for IPSec traffic have a > tunnel interface like GRE tunnel and place traffic onto it via routing > instead of crypto-maps. Very similar to Juniper. > http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html > > http://x443.wordpress.com/2011/11/03/route-based-vpn-between-juniper-and-cisco/ >
Despite this is pretty obvious and elegant, it's a very common case when you can't do this for whatever reason. E. g. older IOS could not do VTI without GRE but SRX cluster could not do GRE until very recent; remote peer is just too dumb, etc. Sometimes remote side just won't switch to route-based because they don't know how to or it's a NOC shift with strict config guidelines that they can break. A very straightforward workarond for such cases is to add another tunnel to the same peer for the second pair of subnets. But it requires another global address on one side. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp