02-01-2012 02:40 AM
we have to connect two site with a VPN, and we want to use the SRX220 appliances. We want to have full redundancy, so we are planning to have in both site two SRX220 configured with HA chassis cluster. We also want two internet connections to be able to keep internet connectivity, if one of the two links will not work for any reason (non routing protocols).
For what we know, we should also able to configure two VPN tunnels so one tunnel will use ISP1 and second tunnel ISP2, this in both sites, to achieve VPN connections redundancy. Then using routing preferences and firewall filters we should be able to manage traffic in and out the VPN or maybe using a dynamic routing protocol using the two VPN links in both sites.
Can you confirm this architecture? Has somebody implemented this configuration? Any warnings?
Thank you in advance.
02-06-2012 08:15 AM
If you are planning to have two ISPs on both sites then you will have to create 4 ike gatreways and 4 vpns.
ISP1 local site to ISP1 remote site
ISP1 local site to ISP2 remote site
ISP2 local site to ISP1 remote site
ISP2 local site to IDP2 remote site
You can use route prefrence or qualified next-hop. You will also have to use vpn monitor to detect link failure.
Let me know if you have any Questions.
02-10-2012 12:20 AM
thank you for the answer. I was thinking quite the same, except that for reduced complexity, to biuld just two tunnels instead of four.
08-06-2014 04:43 AM
Please how did you get on with this?
I am looking at a similar implementation and want to know if this worked ok for you?
08-06-2014 06:04 AM
The implementation would be of two steps :
1. ISP failover
2. Subsequent VPN failover
Simple solution ould is to have :
ISP1 on Site A to establish VPN with ISP2 on site B --VPN1
ISP2 on Site A to establish VPN with ISP2 on site B--VPN2
Have ISP 2 on both ends as backup ISP
But for VPN peers right specific route through specific ISP.
Build both as route based tunnels.
Let us say the subnet behind Site A is A and Behind Site B is B
VPN1 is bound to st0.0
VPN2 is bound to st0.1
Write routes like below:
On Site A :
set routing-options static route B next-hop st0.0
set routing-options static route B qualified-next-hop st0.1 preference 10
set routing-options static route ISP-1-site-B next-hop ISP1
set routing-options static route ISP-2-site-B next-hop ISP2
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
08-08-2014 11:14 PM
Yes you need to configure 2 VPN configurations between these 2 devices.
ISP1 to ISP1
ISP2 to ISP2
Then you can play with dynamic routing protocols to route the traffic across primary link using cost meterics.
Also following KB article explains about dual iSP vpn scenario :
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too