SRX Services Gateway
Reply
Regular Visitor
strion
Posts: 4
Registered: ‎11-08-2010
0

Question about site to site vpn with two ISP on every site.

Hi everyone,

we have to connect two site with a VPN, and we want to use the SRX220 appliances. We want to have full redundancy, so we are planning to have in both site two SRX220 configured with HA chassis cluster. We also want two internet connections to be able to keep internet connectivity, if one of the two links will not work for any reason (non routing protocols).

For what we know, we should also able to configure two VPN tunnels so one tunnel will use ISP1 and second tunnel ISP2,  this in both sites, to achieve VPN connections redundancy. Then using routing preferences and firewall filters we should be able to manage traffic in and out the VPN or maybe using a dynamic routing protocol using the two VPN links in both sites.

Can you confirm this architecture? Has somebody implemented this configuration? Any warnings?

 

Thank you in advance.

 

Strion.

Juniper Employee
Ajay
Posts: 8
Registered: ‎02-27-2009

Re: Question about site to site vpn with two ISP on every site.

If you are planning to have two ISPs on both sites then you will have to create 4 ike gatreways and 4 vpns.

ISP1 local site to ISP1 remote site

ISP1 local site  to  ISP2 remote site

ISP2 local site to ISP1 remote site

ISP2 local site to IDP2 remote site

 

You can use route prefrence or qualified next-hop. You will also have to use vpn monitor to detect link failure.

 

Let me know if you have any Questions.

I

AJ
Regular Visitor
strion
Posts: 4
Registered: ‎11-08-2010
0

Re: Question about site to site vpn with two ISP on every site.

Hi Ajay,

thank you for the answer. I was thinking quite the same, except that for reduced complexity, to biuld just two tunnels instead of four.

 

Strion.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.