Routing

Expand all | Collapse all

Route based IPsec on MX

Jump to Best Answer
  • 1.  Route based IPsec on MX

     
    Posted 01-22-2016 09:07

    Can anyone tell me if it is possible to configure a route based (not policy based) IPsec tunnel on the MX with MS-MIC? This is fairly straight forward on an SRX and seems to be the prefered method.



  • 2.  RE: Route based IPsec on MX

    Posted 01-22-2016 23:25

    Hello,

    Yes it is possible. Have You tried the documentation?

    http://www.juniper.net/documentation/en_US/junos15.1/topics/example/ipsec-configuring-on-ms-mic.html

    The above is the top link if You google "juniper mx ipsec"

    https://www.google.co.uk/search?&q=juniper+mx+ipsec

    HTH

    Thx

    Alex



  • 3.  RE: Route based IPsec on MX

     
    Posted 01-25-2016 06:33

    HI,

     

    Yes I have seen that document and it appears to be a policy based configuration. I am looking to use an IPsec tunnel to connect an SRX210 to an MX104. I want to use a route based  VPN that allows me to run a routing protocol across it. The configuration on the link uses policy to direct traffic across the tunnel rather than binding an interface that will become one end of a point to point link. On an SRX this would be the st0 interface.



  • 4.  RE: Route based IPsec on MX
    Best Answer

    Posted 01-25-2016 06:59

    Hello,

     


    @Regalis wrote:

    HI,

     

    Yes I have seen that document and it appears to be a policy based configuration.


    It is not. It is route-based IPSec and SRX-style policy-based IPSec is not supported on MX.

    It is true that You have to configure a policy to populate proxy-ids BUT You HAVE to use routing to direct traffic into MX IPSec interface.

     


    @Regalis wrote:

    HI,

     

    . I want to use a route based  VPN that allows me to run a routing protocol across it. 


    This config allows to run Your chosen protocol, even multicast-based such as OSPFv2, without additional GRE encaps, unlike CSCO.

     


    @Regalis wrote:

    HI,

     

    The configuration on the link uses policy to direct traffic across the tunnel 


    This policy is just for proxy-id creation.

     


    @Regalis wrote:

    HI,

     

     binding an interface that will become one end of a point to point link. On an SRX this would be the st0 interface.


    The MX MS-MIC equivalent is ms-x/y/z.w logical interface which is marked as "inside" in the config.

     

    HTH

    Thx

    Alex



  • 5.  RE: Route based IPsec on MX

     
    Posted 01-25-2016 07:12

    Oh, OK, so is it possible to put an address on the ms-x/y/z.a interface under family inet?



  • 6.  RE: Route based IPsec on MX

    Posted 01-25-2016 09:02

    Hello,

    Yes it is possible.

    HTH

    Thx

    Alex



  • 7.  RE: Route based IPsec on MX

     
    Posted 01-26-2016 12:11

    Excellent, thanks.



  • 8.  RE: Route based IPsec on MX

    Posted 09-09-2018 17:40

    hi all,

     

    does it works for put ip address in interface ms-x/y/z ? so ipsec between SRX - MX can build ip point to point on interface st0 (srx) and interface ms (mx).



  • 9.  RE: Route based IPsec on MX

    Posted 09-11-2019 17:29

    Hi Rahman

     

    yes you can add ip on ms interface for p2p connection from mx to srx

    but you need to configure a rule to direct the traffic toward the tunnel

     

    regards