cancel
Showing results for 
Search instead for 
Did you mean: 

Routing IP Pool on single armed SA

sjainssn_
Occasional Contributor

Routing IP Pool on single armed SA

Hi,

I am planning to deploy a SA4500 in single armed mode. For routing traffic back to the VPN IP pool, should the route point to the interface IP address as the default gateway or the Server IP address?

IMHO, Juniper should update the documentation regarding "Server IP address" where it says it should be changed only on Juniper Support instructions. It creates a false impression that 10.200.200.200 is somehow hardcoded in the OS for a certain purpose.

Thanks!

4 REPLIES 4
rdit_
Regular Contributor

Re: Routing IP Pool on single armed SA

do you really need to manually add routes for that? the IVE knows where to route the traffic to when it goes to the VPN(NC)-IP-Pool. I only have the two default routes and my NC-IP-Pool is completely different from the subnet in which the IVE is connected.

sjainssn_
Occasional Contributor

Re: Routing IP Pool on single armed SA

How do other routers in the network especially the upstream router know where to send the return traffic for the VPN(NC)-IP-Pool?

rdit_
Regular Contributor

Re: Routing IP Pool on single armed SA

legend for the following explanation:

192.168.1.0/24 = NC-IP-Pool

10.1.1.1 = firewall

192.168.2.3 = IVE Virt IP

all routers have its route to the core router...

core router has its way to the firewall:

192.168.1.0/24 [1/0] via 10.1.1.1

the firewall routes the traffic directly to the IVE's virtual IP

192.168.1.0/24 via 192.168.2.3

hope this helps

edit: or what do you mean by return traffic?

sjainssn_
Occasional Contributor

Re: Routing IP Pool on single armed SA

Let's add in the assumptions that:

192.168.2.2 = IP of IVE internal interface

Ok, so we were talking about the same thing Smiley Happy My question was where does the firewall, in the example you gave, point at as gateway for 192.168.1.0/24. Is it 192.168.2.3 (IVE Virt IP) or 192.168.2.2 (IVE Internal Interface IP)?

And so, you answered my query. Thanks!

By return traffic, I mean a IVE user, say 192.168.1.10, will have their packed routed to a destination, say 10.2.2.2, but then without proper routes added for 192.168.1.0/24, the responses won't get routed back from 10.2.2.2 to 192.168.1.10.