In past, when I used Cisco routers, I configured tunnels with a front door VRF. As far as I'm aware, this is Cisco terminology.
Now I need to create a site-to-site VPN using an SRX at both ends. Is there a Junos equivalent of the front-door VRF?
The Junos equivalent of Cisco's VRF is Routing Instances. Please check the following document for configuring the VPN in SRX in Routing Instance - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-secure-tunnel-interface-in-a-virtual-router.html
Thanks for your reply, but I'm not asking about VRF-Lite.
I want to know if Juniper has an equivalent of a Front-Door VRF.
This is where a specific VRF (or routing-instance) is used as the underlay, and another VRF is the overlay.
For example, VRF-1 is the underlay, and has a default route over the internet. This VRF is used for building the tunnel, and establishing the IPSec SA's.
VRF-2 (of the global VRF) is the overlay. The tunnel interface is in this VRF. This VRF has a default route that pushes traffic over the tunnel.
Does Juniper have this?
With SRX you can have your IKE gateway address placed in one routing-instance (or global inet.0) and then terminate the decapsulated traffic into a different routing-instance... so from your description, I would say "yes" 🙂
You will just use route-based VPN with SRX gateways and then bind eg. st0.1 interface to routing-instance X and st0.2 to routing-instance Y.
That sounds like what I'm looking for, thanks!
I think I will need to lab this first... Off to jLabs I go!