Re: [j-nsp] DMVPN on Juniper

2009-07-18 Thread Derick Winkworth 
Juniper really doesn't have a JUNOS based "any-to-any" type encryption solution.

The sad part is that if they supported NHRP and GDOI, then they would have a 
solution that would be compatible with Cisco DMVPN is really just GRE 
w/NHRP and some propriety hooks into IPSec... take those propriety hooks out 
and its just GRE w/NHRP... now put GDOI on the WAN interface... and you have a 
far better any-to-any encrytion solution.  NO per-tunnel encryption state.  In 
fact, if you push the next-hop cache down to the spokes, then potentially there 
is no setup time at all for spoke-to-spoke communication...

You would think that would be a great way of getting an existing Cisco customer 
to try a Juniper box if they have an any-to-any encryption requirement.  Surely 
there are lots of these customers since ethernet WAN and MPLS WAN services are 
so prolific now...









From: Dale Shaw 
To: David Prall 
Cc: juniper-nsp@puck.nether.net
Sent: Friday, July 17, 2009 10:13:54 PM
Subject: Re: [j-nsp] DMVPN on Juniper

Hi David,

On Sat, Jul 18, 2009 at 1:08 PM, David Prall wrote:
> The feature is called Auto Connect VPN
> http://www.juniper.net/solutions/literature/app_note/350126.pdf

Thanks, but as I said in my original post (perhaps not very clearly,
looking back at it now), my preference is for a solution using JUNOS.

Anyway, have you used AC-VPN? and if so, how many sites? Is it
reliable? Any tricks/traps?

cheers,
Dale
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] Help with NAT configuration

2009-07-18 Thread Tom Storey 
Im sure this question has been asked before, but googling and reading  
examples and the JUNOS documentation has not yeilded an answer yet.


I have a classic network example whereby my WAN IP address is  
dynamically assigned, but every configuration example I have seen  
specifically states the WAN IP address [range] to use for NAT.


Is there anyway I can simply say "I dont know what address to use, use  
whatever is assigned to interface x"? Specifically I would like to  
tell it to use which ever address is assigned to pp0.0.


Below is the config I wish to apply, but Ive yet to solve the above  
before I can commit it (complains about the lack of address in the  
pool). Ive been playing around, so please correct me on any mistakes  
Ive made.


Any help greatly appreciated! :-)

  services {
  service-set wan-service-set {
  nat-rules nat-egress;
  nat-rules nat-ingress;
  interface-service {
  service-interface sp-0/0/0;
  }
  }
  nat {
  pool nat-pool {
  port automatic;
  }
  rule nat-egress {
  match-direction output;
  term 1 {
  then {
  translated {
  source-pool nat-pool;
  translation-type {
  source dynamic;
  }
  }
  }
  }
  }
  rule nat-ingress {
  match-direction input;
  term other {
  from {
  destination-address {
  any-unicast;
  }
  }
  then {
  no-translation;
  }
  }
  }
  }
  }

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp