I am planning to deploy a SA4500 in single armed mode. For routing traffic back to the VPN IP pool, should the route point to the interface IP address as the default gateway or the Server IP address?
IMHO, Juniper should update the documentation regarding "Server IP address" where it says it should be changed only on Juniper Support instructions. It creates a false impression that 10.200.200.200 is somehow hardcoded in the OS for a certain purpose.
do you really need to manually add routes for that? the IVE knows where to route the traffic to when it goes to the VPN(NC)-IP-Pool. I only have the two default routes and my NC-IP-Pool is completely different from the subnet in which the IVE is connected.
How do other routers in the network especially the upstream router know where to send the return traffic for the VPN(NC)-IP-Pool?
legend for the following explanation:
192.168.1.0/24 = NC-IP-Pool
10.1.1.1 = firewall
192.168.2.3 = IVE Virt IP
all routers have its route to the core router...
core router has its way to the firewall:
192.168.1.0/24 [1/0] via 10.1.1.1
the firewall routes the traffic directly to the IVE's virtual IP
192.168.1.0/24 via 192.168.2.3
hope this helps
edit: or what do you mean by return traffic?
Let's add in the assumptions that:
192.168.2.2 = IP of IVE internal interface
Ok, so we were talking about the same thing My question was where does the firewall, in the example you gave, point at as gateway for 192.168.1.0/24. Is it 192.168.2.3 (IVE Virt IP) or 192.168.2.2 (IVE Internal Interface IP)?
And so, you answered my query. Thanks!
By return traffic, I mean a IVE user, say 192.168.1.10, will have their packed routed to a destination, say 10.2.2.2, but then without proper routes added for 192.168.1.0/24, the responses won't get routed back from 10.2.2.2 to 192.168.1.10.