On 28/11/12 11:24, Mike Williams wrote:
On Tuesday 27 November 2012 23:08:04 Michel de Nostredame wrote:
PS: I just got a SRX100 and am going to do some POC with
selective-packet-mode. Basically I want to route my traffic into GRE
tunnel in packet-mode and route GRE packet over IPsec to remote SSG
site in flow-mode because IPsec needs flow module. Hopefully this can
suppress my session-table usage to only one for two records. I hate
flow-mode JUNOS for a long long long time since J-series, but the SRX
prices are simply irresistible.
Michel,
We wanted to do that with some SRX650s.
Doesn't work. Sorry.
Seems like some flag is on the packet saying it's packet-mode, which isn't
removed/reset when it's wrapped in a GRE header, so IPSec sees a packet-mode
packet and drops it.
This was with 10.4R6.5, we didn't get the chance to try anything newer.
Have you seen this:
http://www.juniper.net/us/en/local/pdf/app-notes/3500192-en.pdf
I have successfully used an SRX 210 in packet mode and flow mode, to do
MPLS-over-GRE-over-IPSEC.
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
