Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

VPNs

  • Enhancements to increase traffic selector flexibility (SRX5400, SRX5600, and SRX5800)—Starting in Junos OS Release 21.1R1, you can do the following to add flexibility to your traffic selectors in different deployment scenarios:

    • Configure the routing metric for a traffic selector.

    • Define the source port range, destination port range, and protocol for a traffic selector.

    • Define multiple terms within a traffic selector, instead of creating multiple traffic selectors (or child security associations or SAs) for a VPN. Each term comprises the local and remote IP prefixes, the source and destination port ranges, and the protocol identifier. You can use these parameters in a single IPsec SA negotiation. In earlier Junos OS releases, you configure each traffic selector with one set of local and remote IP prefixes to be used in an IPsec SA negotiation with a peer.

    This feature is supported only if the junos-ike package is installed in your device.

    We recommend you configure the same metric value if you define multiple traffic selectors under the same [edit security ipsec vpn vpn_name] hierarchy level with same value for remote-ip ip-address/netmask. If you configure different metric values, then the metric value of the st0 route installed will be same as the traffic selector that is negotiated or installed first.

    [See traffic-selector and show security ipsec security-associations detail.]

  • Support for BGP MVPN (Junos fusion for provider edge)—Starting in Junos OS Release 21.1R1, Junos fusion for provider edge supports BGP multicast VPN (MVPN). BGP MVPN is a method for implementing multiprotocol multicast services over a BGP MPLS Layer 3 VPN. Junos fusion for provider edge supports the connection of a BGP-based MVPN customer edge (CE) device on the extended ports of the satellite device in Junos fusion for provider edge.

    [See Junos Fusion Provider Edge Supported Protocols.]

  • Support for interprovider and carrier-of-carrier VPNs (Junos fusion for provider edge)—Starting in Junos OS Release 21.1R1, Junos fusion for provider edge supports Interprovider and Carrier-of-Carrier VPNs. The Carrier-of-Carrier VPN service describes a hierarchical VPN (also known as a recursive VPN) model where one carrier (VPN service customer) transports its VPN traffic inside another carrier’s VPN (VPN service provider). Junos fusion for provider edge currently supports provider edge (PE) routers for VPN service customers. In Junos OS Release 21.1R1, we introduce support for PE routers for VPN service providers along with VPN service customers.

    Interprovider VPNs provide connectivity between different service providers that are using separate autonomous systems (ASs) or one service provider that is using different ASs for different geographic locations. For Interprovider VPNs, Junos fusion for provider edge supports only intra-AS connection on an AS boundary router (ASBR) to the extended port.

    [See Junos Fusion Provider Edge Supported Protocols.]

  • Increased tunnel scaling (vSRX 3.0)—Starting in Junos OS Release 21.1R1, vSRX 3.0 is supported by a new architecture similar to SRX5000 line of devices with SPC3 which increases the tunnel scale.

    vSRX 3.0 instances support the IPsec VPN features that are supported on the SRX5000 line of devices with SPC3 (SRX5K-SPC3).

    By default, when the vSRX 3.0 boots up, the legacy architecture is executed. To enable the new architecture, you must load and install a new package, junos-ike. The Junos OS releases includes this package, but its installation is optional. As an administrator, you must execute the request system software add optional://junos-ike.tgz command to load the junos-ike package.

    [See IPsec VPN Features and Configurations Not Supported on SRX5K-SPC3 and vSRX Instances.]