Implementing a Routing Scheme for VPNs
You must configure a routing scheme in the VPN that ensures that all members in the VPN can reach other and that does not require changes as members are added to and removed from the VPN. If a VPN is used as an intranet, you can achieve this goal by configuring static routes in the VPN or by configuring routing protocols appropriately.
If, however, the VPN is exported as an extranet, some members of the VPN may use private or conflicting address schemes. In addition, if the VPN has a large number of potential members, configuring static routing or routing protocols for all potential members may not be a manageable proposition. In these last two cases, we recommend that you use public addresses in the VPN and have VPN members implement NAT for traffic destined for the VPN (see Overview of Services for Enterprise Manager Portal).
VPNs use private IP addresses. If, however, enterprises that you administer export VPNs to extranet clients, you must ensure that the extranet clients can reach the IP addresses that the VPNs use. To implement an address scheme that allows all subscribers who have access to a VPN, we recommend that you implement NAT on the JUNOS routing platform. IT managers in the retailers and enterprises who own the VPNs can then map private IP addresses in the VPNs to public IP addresses, which extranet clients can reach.