Hi All,
I am doing the swap from ISG1000 to SRX5800. And now consider the migration of GRE over IPsec part.
1. Any limitation about GRE over IPsec on high end SRX JUNOS12.1?
2. After some days search, I dedice to use route-based IPsec and software based GRE. For IPsec, I think st0 interface will be used. In a lot of reference I found, gr interface is used for GRE. But I also read that gr is only used when there is dedicated PIC for GRE. In my SRX5800, only one SPC is ordered. Does it mean no dedidated PIC for GRE? If so, that's why I decide to use software based GRE on interface gre.0 instead. But less reference is found for this. And I have doubt whether my above understanding is right. Could someone help confirm, gr-0/0/0 or gre.0 to be used in my case?
3. In the attached ISG config, you could find there is two tunnels now for redundancy. One local endpoint IP but two remote endpoint IP, so two tunnels. How to realize this in SRX5800? Currently no new IP assigned, so plan is to use all exsiting endpoint and IP. Is it possible? For the route to the remote subnet, the primary route should be to gre.0 and the secondray route should be to gre.1?
This is the first time of me to do such GRE over IPsec on SRX. So your in time help is highly appericiated. Thanks in advance!!
BR/ Claire
↧