02-01-2012 02:40 AM
we have to connect two site with a VPN, and we want to use the SRX220 appliances. We want to have full redundancy, so we are planning to have in both site two SRX220 configured with HA chassis cluster. We also want two internet connections to be able to keep internet connectivity, if one of the two links will not work for any reason (non routing protocols).
For what we know, we should also able to configure two VPN tunnels so one tunnel will use ISP1 and second tunnel ISP2, this in both sites, to achieve VPN connections redundancy. Then using routing preferences and firewall filters we should be able to manage traffic in and out the VPN or maybe using a dynamic routing protocol using the two VPN links in both sites.
Can you confirm this architecture? Has somebody implemented this configuration? Any warnings?
Thank you in advance.
02-06-2012 08:15 AM
If you are planning to have two ISPs on both sites then you will have to create 4 ike gatreways and 4 vpns.
ISP1 local site to ISP1 remote site
ISP1 local site to ISP2 remote site
ISP2 local site to ISP1 remote site
ISP2 local site to IDP2 remote site
You can use route prefrence or qualified next-hop. You will also have to use vpn monitor to detect link failure.
Let me know if you have any Questions.
02-10-2012 12:20 AM
thank you for the answer. I was thinking quite the same, except that for reduced complexity, to biuld just two tunnels instead of four.