SRX

Expand all | Collapse all

Hub-Spoke VPN config between SRX to cisco & Hp router

Jump to Best Answer
  • 1.  Hub-Spoke VPN config between SRX to cisco & Hp router

    Posted 10-14-2019 01:06

    Hi All,

     

    Need your help on the below concern.

    I need to build Hub- Spoke VPN between head-office and branch offices.

    SRX is Hub

    Cisco and HP routers are Spoke

    Can somebody tell me about the method which i need to follow to build Hub and spoke tunnel and majorly i need to stop creating more config from Hub side for all spokes VPN because we have 1000+ spokes.



  • 2.  RE: Hub-Spoke VPN config between SRX to cisco & Hp router

     
    Posted 10-14-2019 02:41

    Are you saying you want to create a vpn without any configuration on one side?

    That won't be possible.

     

    We can use groups and apply groups to minimize the lines of code but every vpn does need to be created on both sides to establish.

     

    What issue are you having on the SRX that limiting code there is needed?

     



  • 3.  RE: Hub-Spoke VPN config between SRX to cisco & Hp router
    Best Answer

    Posted 10-14-2019 10:48

    Hi Chetan

     

    You can find here a configuration example that can guide you with the SRX configuration; the configuration on the HP and Cisco side will be a normal VPN.

     

    https://www.juniper.net/documentation/en_US/junos12.1x44/topics/example/ipsec-hub-and-spoke-configuring.html

     

    However, because your spokes wont be Juniper devices you need to fully understand the concept of the HNTB table:

     

    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/vpn-hub-spoke-nhtb-example-overview.html

     

    After you have reviewed the above data: note that on the SRX you will only use 1 interface (st0) that will be linked to several tunnels hence the NHTB table helps to determine the correct tunnel on which the traffic has to be sent. However the info on the NHTB table has to be manually set by you so the traffic can be sent properly to the HP or Cisco devices. Also note that the routes created on the SRX towards the HP and Cisco devices are dummy routes and are only used to redirect traffic to the proper tunnel (using NHTB) and that the IP addresses used in the routes as next-hops are not required to be configured on the third-party devices.

     

    Hope this helps you.