I am attemptingto setup multiple ipsec vpn's on a single, unnumbered tunnel interface (st0.0) with next-hop-tunnel binding. I have the following:
set interfaces st0.0 multipoint
set interfaces st0.0 family inet next-hop-tunnel X.X.X.X ipsec-vpn ipsec-vpn-X
set routing-options static route Y.Y.Y.Y/24 next-hop st0.0
set routing-options static route Z.Z.Z.Z/24 next-hop st0.0
set security ipsec policy ipsec-policy-X proposal-set standard
set security ipsec vpn ipsec-vpn-X bind-interface st0.0
set security ipsec vpn ipsec-vpn-X ike gateway ike-gate-X ipsec-policy ipsec-policy-X
set security ipsec vpn ipsec-vpn-X establish-tunnels immediately
set security ike policy ike-policy-X mode main
set security ike policy ike-policy-X proposal-set standard
set security ike policy ike-policy-X pre-shared-key ascii-test xxxxxxxxxxxxxxxxxxxxxxxxxxxx
set security ike gateway ike-gate-X ike-policy ike-policy-Xset security ike gateway ike-gate-X address X.X.X.Xset security ike gateway ike-gate-X external-interface ge-0/0/0This doesn't work currenly, but as soon as I take out the next hop, multipoint, and st0.0 interface binding on the other ipsec vpn, it works. The vpn gets created (the establish-tunnels immediately takes care of this i assume), but no traffic will flow until i do the former.
I have done similar setups in screenos, but this doesn't appear to work in junos at least with unnumbered tunnel interfaces. Any ideas? Do i need to have an ip address on the tunnel interfaces? Should I just use another tunnel interface? I'd rather do neither.
Have you tried using the remote sides st0.0 IP address instead of st0.0 - This is an accepted configuration. I have used this in single vpn setup - not tried it in multi-site as you are doing but I would say "give it a shot!"
I wanted to do this without numbering the tunnel interfaces, but it appears that in order to use next-hop-tunneling, that is what needs to be done.