Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] Understanding NSM VPN manager feature: "Single tunnel interface and NHTB entries".

0

0

Article ID: KB11270 KB Last Updated: 18 Oct 2020Version: 5.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
In NSM VPN manager, when adding a new device to the VPN entry there is an option to enable/disable  "Single tunnel interface" and "Create NHTB entries".
Symptoms:
NSM generates multiple tunnel interfaces instead of a single tunnel interface for a VPN manager topology.
Solution:
For a route based VPN, NSM generates by default a new tunnel interface for each VPN gateway.  This can be limiting and is not effective.

In order to enable multiple VPN gateways to share the same tunnel interface, enable the "Single tunnel interface" option when adding your security device in the VPN topology.

When binding multiple VPN gateways to a tunnel interface, ScreenOS needs to know which VPN gateway the traffic is going to be sent to when the destination interface is a tunnel interface.  The use of "NHTB entries" is required to allow ScreenOS to lookup a remote tunnel IP address in the next-hop table.   

The NHTB entry is a one-to-one correspondence between a remote tunnel IP address and the local VPN gateway name to be used.     By using the NHTB entry IP address in a gateway field of the route entry to that destination network, ScreenOS will be able to route correctly the traffic to the corresponding VPN gateway.

The option "Create NHTB entries" in VPN manager allows NSM to automatically generate the static next-hop table needed to forward the traffic using a single tunnel interface.

In summary, when using "Single tunnel interface" also enable "Create NHTB entries" so the firewall can forward the traffic in the VPN tunnel using a single interface.
Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search