Re: [j-nsp] DMVPN on Juniper
Juniper really doesn't have a JUNOS based any-to-any type encryption solution. The sad part is that if they supported NHRP and GDOI, then they would have a solution that would be compatible with Cisco DMVPN is really just GRE w/NHRP and some propriety hooks into IPSec... take those propriety hooks out and its just GRE w/NHRP... now put GDOI on the WAN interface... and you have a far better any-to-any encrytion solution. NO per-tunnel encryption state. In fact, if you push the next-hop cache down to the spokes, then potentially there is no setup time at all for spoke-to-spoke communication... You would think that would be a great way of getting an existing Cisco customer to try a Juniper box if they have an any-to-any encryption requirement. Surely there are lots of these customers since ethernet WAN and MPLS WAN services are so prolific now... From: Dale Shaw dale.shaw+j-...@gmail.com To: David Prall d...@dcptech.com Cc: juniper-nsp@puck.nether.net Sent: Friday, July 17, 2009 10:13:54 PM Subject: Re: [j-nsp] DMVPN on Juniper Hi David, On Sat, Jul 18, 2009 at 1:08 PM, David Pralld...@dcptech.com wrote: The feature is called Auto Connect VPN http://www.juniper.net/solutions/literature/app_note/350126.pdf Thanks, but as I said in my original post (perhaps not very clearly, looking back at it now), my preference is for a solution using JUNOS. Anyway, have you used AC-VPN? and if so, how many sites? Is it reliable? Any tricks/traps? cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DMVPN on Juniper
Hi again all, On Tue, Jul 14, 2009 at 8:18 PM, Dale Shawdale.shaw+j-...@gmail.com wrote: Can anyone tell me what the equivalent functionality to DMVPN is in the world of Juniper? Not many responses on this one -- on-list or otherwise -- which leads me to believe it's probably not a widely used feature, and/or hasn't made the cut for implementation in JUNOS with the feature demands of service providers. Maybe it's just an indication that this list is dominated by SP types (no surprise), so I will continue the search, but I'm not holding my breath. If anyone has any tips on how to provision secure any-to-any/full mesh CE connectivity with 60 sites, without going insane, please get in touch :-) A home grown script to generate and provision configs looks to be the most promising solution so far. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DMVPN on Juniper
How about going...eh...Cisco? I am sure there are some service provider offering Cisco Managed CPE in Australia? -Luan Hi again all, On Tue, Jul 14, 2009 at 8:18 PM, Dale Shawdale.shaw+j-...@gmail.com wrote: Can anyone tell me what the equivalent functionality to DMVPN is in the world of Juniper? Not many responses on this one -- on-list or otherwise -- which leads me to believe it's probably not a widely used feature, and/or hasn't made the cut for implementation in JUNOS with the feature demands of service providers. Maybe it's just an indication that this list is dominated by SP types (no surprise), so I will continue the search, but I'm not holding my breath. If anyone has any tips on how to provision secure any-to-any/full mesh CE connectivity with 60 sites, without going insane, please get in touch :-) A home grown script to generate and provision configs looks to be the most promising solution so far. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DMVPN on Juniper
Ac VPN rocks! Sent from my iPhone On Jul 17, 2009, at 8:25 PM, Dale Shaw dale.shaw+j-...@gmail.com wrote: Hi David, On Sat, Jul 18, 2009 at 1:08 PM, David Pralld...@dcptech.com wrote: The feature is called Auto Connect VPN http://www.juniper.net/solutions/literature/app_note/350126.pdf Thanks, but as I said in my original post (perhaps not very clearly, looking back at it now), my preference is for a solution using JUNOS. Anyway, have you used AC-VPN? and if so, how many sites? Is it reliable? Any tricks/traps? cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DMVPN on Juniper
I am not sure if this is right for you :) http://kb.juniper.net/kb/documents/public/junos_es/JUNOS_ES_Multipoint_VPN_with_NHTB.pdf Regards, Masood [apologies if you receive this on-list twice.] Hi all, Can anyone tell me what the equivalent functionality to DMVPN is in the world of Juniper? I understand there's ACVPN available in ScreenOS, but does anyone actually use this? Our local Juniper team didn't give us a warm, fuzzy feeling about this feature. As a side note, is it true that the any-to-any dynamic IPSec functionality that became DMVPN in Cisco world was actually developed by NetScreen prior to being acquired by Juniper? Is it true the functionality hasn't been developed to the same degree it has in IOS? We are looking at a (~60 site) deployment with Juniper CEs, using a service provider's L3VPN product, but CE device selection is proving a challenge -- we'd prefer not to roll out what seems to be a legacy platform in the SSGs, but the functionality apparently isn't there yet in JUNOS. Deploying hub-and-spoke in 2009 seems a bit backwards. If anyone has any anecdotes about ACVPN, or tips on how to achieve a similar configuration using a JUNOS-based device, please chime in! :-) The network will be supporting VoIP traffic, hence the any-to-any connectivity requirement. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DMVPN on Juniper
Hi Masood, On Tue, Jul 14, 2009 at 9:53 PM, mas...@nexlinx.net.pk wrote: I am not sure if this is right for you :) http://kb.juniper.net/kb/documents/public/junos_es/JUNOS_ES_Multipoint_VPN_with_NHTB.pdf Thanks for replying! This configuration seems to create a hub-and-spoke multipoint VPN. I'm really looking for a solution that allows direct spoke-to-spoke (full mesh) communication, and ideally, something that does not require static configuration of anything but the spoke-to-hub tunnel. cheers, Dale [apologies if you receive this on-list twice.] Hi all, Can anyone tell me what the equivalent functionality to DMVPN is in the world of Juniper? I understand there's ACVPN available in ScreenOS, but does anyone actually use this? Our local Juniper team didn't give us a warm, fuzzy feeling about this feature. As a side note, is it true that the any-to-any dynamic IPSec functionality that became DMVPN in Cisco world was actually developed by NetScreen prior to being acquired by Juniper? Is it true the functionality hasn't been developed to the same degree it has in IOS? We are looking at a (~60 site) deployment with Juniper CEs, using a service provider's L3VPN product, but CE device selection is proving a challenge -- we'd prefer not to roll out what seems to be a legacy platform in the SSGs, but the functionality apparently isn't there yet in JUNOS. Deploying hub-and-spoke in 2009 seems a bit backwards. If anyone has any anecdotes about ACVPN, or tips on how to achieve a similar configuration using a JUNOS-based device, please chime in! :-) The network will be supporting VoIP traffic, hence the any-to-any connectivity requirement. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] DMVPN on Juniper
Hi Dale, With S2S (spoke 2 spoke) the biggest problem is now how to avoid static/manual configuration. What I am thinking the NHRP server for the following Hub/Spoke toplogy can be used to complete the link between S2S. In this case HUB can be used only for query. Cisco supports it; Juniper ?? Regards, Masood Hi Masood, On Tue, Jul 14, 2009 at 9:53 PM, mas...@nexlinx.net.pk wrote: I am not sure if this is right for you :) http://kb.juniper.net/kb/documents/public/junos_es/JUNOS_ES_Multipoint_VPN_with_NHTB.pdf Thanks for replying! This configuration seems to create a hub-and-spoke multipoint VPN. I'm really looking for a solution that allows direct spoke-to-spoke (full mesh) communication, and ideally, something that does not require static configuration of anything but the spoke-to-hub tunnel. cheers, Dale [apologies if you receive this on-list twice.] Hi all, Can anyone tell me what the equivalent functionality to DMVPN is in the world of Juniper? I understand there's ACVPN available in ScreenOS, but does anyone actually use this? Our local Juniper team didn't give us a warm, fuzzy feeling about this feature. As a side note, is it true that the any-to-any dynamic IPSec functionality that became DMVPN in Cisco world was actually developed by NetScreen prior to being acquired by Juniper? Is it true the functionality hasn't been developed to the same degree it has in IOS? We are looking at a (~60 site) deployment with Juniper CEs, using a service provider's L3VPN product, but CE device selection is proving a challenge -- we'd prefer not to roll out what seems to be a legacy platform in the SSGs, but the functionality apparently isn't there yet in JUNOS. Deploying hub-and-spoke in 2009 seems a bit backwards. If anyone has any anecdotes about ACVPN, or tips on how to achieve a similar configuration using a JUNOS-based device, please chime in! :-) The network will be supporting VoIP traffic, hence the any-to-any connectivity requirement. cheers, Dale ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp