SRX Services Gateway
Reply
Regular Visitor
strion
Posts: 5
Registered: ‎11-08-2010
0

Question about site to site vpn with two ISP on every site.

Hi everyone,

we have to connect two site with a VPN, and we want to use the SRX220 appliances. We want to have full redundancy, so we are planning to have in both site two SRX220 configured with HA chassis cluster. We also want two internet connections to be able to keep internet connectivity, if one of the two links will not work for any reason (non routing protocols).

For what we know, we should also able to configure two VPN tunnels so one tunnel will use ISP1 and second tunnel ISP2,  this in both sites, to achieve VPN connections redundancy. Then using routing preferences and firewall filters we should be able to manage traffic in and out the VPN or maybe using a dynamic routing protocol using the two VPN links in both sites.

Can you confirm this architecture? Has somebody implemented this configuration? Any warnings?

 

Thank you in advance.

 

Strion.

Juniper Employee
Ajay
Posts: 8
Registered: ‎02-27-2009

Re: Question about site to site vpn with two ISP on every site.

If you are planning to have two ISPs on both sites then you will have to create 4 ike gatreways and 4 vpns.

ISP1 local site to ISP1 remote site

ISP1 local site  to  ISP2 remote site

ISP2 local site to ISP1 remote site

ISP2 local site to IDP2 remote site

 

You can use route prefrence or qualified next-hop. You will also have to use vpn monitor to detect link failure.

 

Let me know if you have any Questions.

I

AJ
Regular Visitor
strion
Posts: 5
Registered: ‎11-08-2010
0

Re: Question about site to site vpn with two ISP on every site.

Hi Ajay,

thank you for the answer. I was thinking quite the same, except that for reduced complexity, to biuld just two tunnels instead of four.

 

Strion.

Visitor
joshking1
Posts: 3
Registered: ‎07-23-2014
0

Re: Question about site to site vpn with two ISP on every site.

Hi Strion,

Please how did you get on with this?

I am looking at a similar implementation and want to know if this worked ok for you?

 

Regards,

Josh

Super Contributor
Super Contributor
c_r
Posts: 125
Registered: ‎04-14-2013
0

Re: Question about site to site vpn with two ISP on every site.

The implementation would be of two steps :

1. ISP failover

2. Subsequent VPN failover
Simple solution ould is to have :

ISP1 on Site A to establish VPN with ISP2 on site B --VPN1

ISP2 on Site A to establish VPN with ISP2 on site B--VPN2

Have ISP 2 on both ends as backup ISP

But for VPN peers right specific route through specific ISP.

Build both as route based tunnels.

Let us say the subnet behind Site A is A and Behind Site B is B

VPN1 is bound to st0.0

VPN2 is bound to st0.1

Write routes like below:

On Site A :

set routing-options static route B next-hop st0.0

set routing-options static route B qualified-next-hop st0.1 preference 10

set routing-options static route ISP-1-site-B next-hop ISP1

set routing-options static route ISP-2-site-B  next-hop ISP2

 

Regards,

c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

 

Regular Visitor
strion
Posts: 5
Registered: ‎11-08-2010
0

Re: Question about site to site vpn with two ISP on every site.

Yes, i also user multi path equal cost routing and ospf.

Trusted Expert
rparthi
Posts: 436
Registered: ‎08-26-2011

Re: Question about site to site vpn with two ISP on every site.

Hi  strion,

Yes you need to configure 2 VPN configurations between these 2 devices.

ISP1 to ISP1
ISP2 to ISP2

Then you can play with dynamic routing protocols to route the traffic across primary link using cost meterics.

Also following KB article explains about dual iSP vpn scenario :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB29227

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.