SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IPSEC failover configuration.

    Posted 03-29-2011 07:25

    Hi all,

     

    I have SRX-100 device with Junos [10.2R3.10]

    On this device are defined few ipsec VPN (policy based).

     

    One ipsec tunnel is very important, on other side are two ISP with two VPN routers - is it possible to define on srx-100 ipsec with 2 gateway - if primary doesn't work all traffic goes to second gateway?

     

    Thanks.

     


    #vpn


  • 2.  RE: IPSEC failover configuration.

    Posted 03-29-2011 08:22

    Yes, switch from policy-based VPN to a route-based VPN. Then you can create two routes with different metrics, if the first VPN goes down, it will switch to the second one.



  • 3.  RE: IPSEC failover configuration.

    Posted 03-31-2011 07:57

    Hi,

     

    when I try to set second route I get equal metric for both routes:

    What should I change?

     

     

    user@srx# show routing-options 
static {
    route 192.168.5.0/24 {
        next-hop [ st0.0 st0.1 ];
        metric 20;
    }
}

     

     



  • 4.  RE: IPSEC failover configuration.

    Posted 03-31-2011 08:02

    Define the second tunnel as a qualified-next-hop.

     

    You'll also want to make sure that st0.0 goes "Down" when the tunnel goes down. VPN Monitoring can be used for this, or you can experiment with DPD (Dead Peer Detection).

     



  • 5.  RE: IPSEC failover configuration.

    Posted 04-25-2011 21:43

    hi

     

     i have configured samy way as you talk. second tunnel is next-hop  is qualified hop. after do that it is not stable.

    automaticaly tunnel change.

     

    how to solve  this?

     

    Maung Tan

    @motd wrote:

    Yes, switch from policy-based VPN to a route-based VPN. Then you can create two routes with different metrics, if the first VPN goes down, it will switch to the second one.

     



  • 6.  RE: IPSEC failover configuration.
    Best Answer

    Posted 03-31-2011 08:43

    Another option you can try is specifying multiple peer addresses in the IKE Gateway.  What happens there is it will choose the first gateway, and perform IPSec negotiations to that IP.  If DPD heartbeats are successfully being sent between the two, the VPN will stay up, and failover will not occur.  However, once DPD fails, then it will trigger a negotiation to the second IP (since the first IP is considered down). 

     

    Example:

     

    gateway P1-gw {
    ike-policy P1;
    address [ 172.22.145.194 172.22.145.195 ];
    dead-peer-detection {
        always-send;
        interval 10;
    }
    external-interface ge-0/0/0.0;
}

    In addition to this, you need to make sure you have establish-tunnels immediately configured, so that when the failure occurs, interesting traffic will get sent through the tunnel, and builds the IPSec tunnel to the second peer.

     

    Warning:  There is one gotcha with this.  The fail over mechanism may work, and the VPN traffic will pass on the backup.  However, once the primary connection is re-gained, it will not fail back.  This is because there is no preempt mechanism with this feature.  The only way the fail back will occur is if the secondary connection loses DPD, and hence force a failover back to the original.

     

     



  • 7.  RE: IPSEC failover configuration.

    Posted 04-01-2011 03:30

    Hi,

     

    thanks,I will try your suggestion.

     

    Zigmunds