Note that in this specific case, it is not two different remote sites but one remote site with a single address space. The problem is that we locally have two networks, and the other side can only do policy based tunnels.
There are two ways to solve this: 1) Use policy based VPN as well. Works well, but hides the routing in the policies. 2) User tunnel interfaces and solve the egress problem with FBF/SBR. More complex setup, but obvious routing. I personally prefer tunnel interfaces all the time (almost) because then the routing part and the firewall/policy part are separated. You can always do a "show route <prefix>" and se what is going on (barring NAT, of course). However, you end up with a separate local routing instance for each distinct local prefix. In this specific case (not in general) I would try to talk to the other side and see if they can change their setup to use 10.1.0.0/16 in their Proxy-ID. Then the problem would be solved! One proxy-ID, one tunnel, no FBF/SBR. /Per 14 sep 2012 kl. 18:17 skrev Mark Menzies: > Yup, what he said :) > > It will mean though that you will need 2 tunnel interfaces to place into 2 > different routing instances. > > This can be a little complicated but we dont really have many options if the > 2 remote sites have the same addressing scheme. > > HTH > > On 14 September 2012 15:59, Per Westerlund <[email protected]> wrote: > Yes, static routes work. What happens is that you put the two tunnels in > different routing instances. The static route/routes used in each routing > instance are completely independent of each other. > > /Per > > 14 sep 2012 kl. 15:55 skrev pkc_mls: > > > Le 14/09/2012 2:55, Per Westerlund a écrit : > >> The only way to handle this that I know of is FBF, in this case to > >> implement source-based-routing. You have to pick a different tunnel > >> depending on which source address you see. > >> > >> I don't have access to my systems right now so I can't send an example, > >> but there are plenty of examples on either in Juniper KB or Juniper > >> forums. The common use case is with 2 default routes to 2 different ISPs, > >> and having to chose one or the other based on what local IP address is > >> used. > >> > >> /Per Westerlund > >> > >> > > Do you know if the static nat will work in such a scenario, because I have > > a lot of static nat rules configured > > for traffic through this tunnel ? > > > > It becomes complicated for a simple multi proxy ID configuration. > > _______________________________________________ > > juniper-nsp mailing list [email protected] > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
