Multiple vpns asymmetric routing issue

Hello everybody,

I want to replace our SSG140 routers with the newer SRX240 models.

However, I'm stuck with an asymmetric routing problem.

We have our servers located in two datacenters, A and B.

Our servers are divided into several zones/vlans.

The layout of the vlans is identical in both datacenters.

I would like a vpn per zone between the datacenters. Lets say I have the following vpns:

Datacenter A, zone 100 (st0.200) <--> Datacenter B, zone 200 (st0.101)

Datacenter A, zone 101 (st0.201) <--> Datacenter B, zone 201 (st0.101)

Datacenter A, zone 102 (st0.202) <--> Datacenter B, zone 202 (st0.102)

Datacenter A, zone 103 (st0.203) <--> Datacenter B, zone 203 (st0.103)

The following routes in datacenter A:

route 192.168.200.0/24 next-hop st0.200;

route 192.168.201.0/24 next-hop st0.201;

route 192.168.202.0/24 next-hop st0.202;

route 192.168.203.0/24 next-hop st0.203;

And the following routes in datacenter B:

route 192.168.100.0/24 next-hop st0.100;

route 192.168.101.0/24 next-hop st0.101;

route 192.168.102.0/24 next-hop st0.102;

route 192.168.103.0/24 next-hop st0.103;

This works ok for traffic between the identical zones in datacenter A and B.

The problem is traffic to/from different zones in different datacenters.

For example, datacenter A, zone 100 to datacenter B, zone 201:

The outgoing connection will take tunnel st0.201 to st0.101 in datacenter B.

But the incoming answer will go through tunnel st0.100 to st0.200.

The router in datacenter A will reject this asymmetric traffic.

On the SSG's we've disabled reverse routing from the tunnels with the following command:

unset flow reverse-route tunnel

This worked fine and made writing policies al lot easier.

I have a lot of policies between the different zones.

Now, how do I realize the same setup with the Junos SRX routers?

The only solution I can think of is combining the 4 vpn's to a single vpn and new vpn-zone.

But this also means I have to duplicate all my policies to include this new zone.

Is there any other solution which would resemble the SSG setup like above?

Thanks in advance,

Wolter Kamphuis