So I finally got some time to work on this again and we found the
problem it appears to be was the destination match, needed to switch to
any/any matching instead. It would appear that destination address and
next-hop don't mean the same thing, the actual destination needs to
match the
And what happens if You ping a destination IP known via BGP across the
tunnel but with different src.ip?
ping routing-instance VRFname dst.ip source whatever
This src.ip must be known by/reachable from far end.
HTH
Thanks
Alex
On 17/12/2013 20:40, Scott Harvanek wrote:
BGP is running in the
So this works to establish the tunnels, the problem is, BGP received
routes over the tunnel do not function correctly. The routes are
properly installed in the VRF but traffic to those destinations does not
pass correctly. Does anyone have any experience running BGP like this
on the m-series
For the traffic to be encrypted, the BGP nexthop has to point into the
tunnel which means one of the below:
1/ BGP has to run inside the tunnel, or
2/ You have to have a BGP import policy to change the nexthop to
tunnel's remote address. If this is eBGP, then also add
accept-remote-nexthop
BGP is running in the tunnel and the next hop is the far side of the
tunnel, everything looks correct. All the routes show the far end of the
tunnel and BGP is established inside the VRF but traffic will not pass
except of traffic directly between the two endpoints. E.g. BGP/ICMP on
the tunnel
Anyone with any ideas on this?
Scott H.
On 11/9/13, 12:58 PM, Scott Harvanek wrote:
Is there a way to build a IPSec tunnel / service interface where the
local gateway is NOT in the same routing-instance as the service
interface?
Here's what I'm trying to do;
[ router A (SRX) ] == Switch /
Yes
[edit]
aarseniev@m120# set services service-set SS1 ipsec-vpn-options
local-gateway ?
Possible completions:
addressLocal gateway address
routing-instance Name of routing instance that hosts local
gateway = CHECK THIS OUT!!!
aarseniev@m120 show version
Alex,
Yea, tried this but it looks like you can't set it to the default inet.0
instance, only to things different... the local gw in my case is in the
default instance and I want the service interface in another so unless
I'm mistaken it's in default by default and this fails?
Scott H.
On
So, if I understand Your requirement, You want sp-0/0/0.unit in VRF,
correct?
And outgoing GE interface in inet.0?
And where the decrypted packets should be placed, inet.0 or VRF?
And where from the to-be-ecrypted packets should arrive, from inet.0 or VRF?
If the answer is correct/inet.0/VRF/VRF
Yep excellent, I'll give it a whirl, thanks!
Scott H.
On 11/12/13, 1:24 PM, Alex Arseniev wrote:
So, if I understand Your requirement, You want sp-0/0/0.unit in VRF,
correct?
And outgoing GE interface in inet.0?
And where the decrypted packets should be placed, inet.0 or VRF?
And where from
Is there a way to build a IPSec tunnel / service interface where the
local gateway is NOT in the same routing-instance as the service interface?
Here's what I'm trying to do;
[ router A (SRX) ] == Switch / IS-IS mesh == [ router B m10i ]
[ st0.0 / VRF ] = [ sp-0/0/0.0 / VRF ]
11 matches
Mail list logo
