I am attemptingto setup multiple ipsec vpn's on a single, unnumbered tunnel interface (st0.0) with next-hop-tunnel binding. I have the following:
set interfaces st0.0 multipoint
set interfaces st0.0 family inet next-hop-tunnel X.X.X.X ipsec-vpn ipsec-vpn-X
set routing-options static route Y.Y.Y.Y/24 next-hop st0.0
set routing-options static route Z.Z.Z.Z/24 next-hop st0.0
set security ipsec policy ipsec-policy-X proposal-set standard
set security ipsec vpn ipsec-vpn-X bind-interface st0.0
set security ipsec vpn ipsec-vpn-X ike gateway ike-gate-X ipsec-policy ipsec-policy-X
set security ipsec vpn ipsec-vpn-X establish-tunnels immediately
set security ike policy ike-policy-X mode main
set security ike policy ike-policy-X proposal-set standard
set security ike policy ike-policy-X pre-shared-key ascii-test xxxxxxxxxxxxxxxxxxxxxxxxxxxx
set security ike gateway ike-gate-X ike-policy ike-policy-X
set security ike gateway ike-gate-X address X.X.X.X
set security ike gateway ike-gate-X external-interface ge-0/0/0
This doesn't work currenly, but as soon as I take out the next hop, multipoint, and st0.0 interface binding on the other ipsec vpn, it works. The vpn gets created (the establish-tunnels immediately takes care of this i assume), but no traffic will flow until i do the former.
I have done similar setups in screenos, but this doesn't appear to work in junos at least with unnumbered tunnel interfaces. Any ideas? Do i need to have an ip address on the tunnel interfaces? Should I just use another tunnel interface? I'd rather do neither.