SRX Services Gateway
Reply
Visitor
vkosin
Posts: 4
Registered: ‎11-16-2011
0

SRX 210 Failover IPSEC Policy Based tunnel with 2 ISP

We have 2 ISP. We want to failover our tunnel over these providers with failback to ISP1 (it's primary ISP).

 

ISPs:

ISP1: fe-0/0/2, ip 1.1.1.2/24, route 1.1.1.1

ISP2: fe-0/0/3, ip 1.1.2.2/24, route 1.1.2.1

 

internal network:

INT: ge-0/0/0, ip 192.168.1.200/22

 

gateway ike-gate1 {
ike-policy ike-policy;
address 2.1.1.1;
external-interface fe-0/0/2.0;
}

 

ok, it works well, but no failover, - if link on fe-0/0/2 fails - tunnel will be unavailable. if I will modify gateway external-interface to fe-0/0/3.0, then tunnel will work on ISP2.

 

How can we realise this behavior:

ISP1 - main provider.

ISP2 - backup provider.

 

If ISP1 online and ISP2 online all connections from internal network should go via ISP1 (including ipsec tunnels).

If ISP1 offline and ISP2 online all connections from internal network should failover via ISP2 (NAT, ipsec tunnels, etc).

If ISP1 online and ISP2 offline - it's OK, nothing serious :smileyhappy:.

If ISP1 offline and ISP2 offline - nothing to failover/failback :smileyhappy:.

Distinguished Expert
dfex
Posts: 707
Registered: ‎04-17-2008
0

Re: SRX 210 Failover IPSEC Policy Based tunnel with 2 ISP

There are two possible solutions to this issue:

 

1/  If you are advertising public address space to both ISPs (eg: via BGP), then you can assign an IP from this range to your loopback address, then set the external-interface in your ike gateway to be the loopback interface.  Fail-over is virtually seamless.  If you don't have public address space though, this method will not work, because the SRX doesn't source-NAT traffic from the loopback address.

 

2/ The only other method is to create two tunnels tied to two ike gateways, each with a different external interface.  Then use routing preference and qualified-next-hop to ensure that your preferred tunnel is used for forwarding

 

Hope this helps

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
vkosin
Posts: 4
Registered: ‎11-16-2011
0

Re: SRX 210 Failover IPSEC Policy Based tunnel with 2 ISP

So, I'll have to swith to route-based  VPN instead of policy-based?

Distinguished Expert
dfex
Posts: 707
Registered: ‎04-17-2008
0

Re: SRX 210 Failover IPSEC Policy Based tunnel with 2 ISP

Not necessarily - but you would need a dedicated security zone for each ISP (so you could have a policy for each tunnel)

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Visitor
vkosin
Posts: 4
Registered: ‎11-16-2011
0

Re: SRX 210 Failover IPSEC Policy Based tunnel with 2 ISP

I've tryed to get this behavior on routing based VPN.

 

Routing table for NAT addresses works well - there is no any problems. But when I'm triying to apply it for VPN  -  it doesn't work (I was trying to use vpn monior and DPD - no matter) - packets still going to primary roter interface (If Ill change it manually - then everything will work). 

 

Here is part of config:

interfaces {
    st0 {
        unit 0 {
            family inet;
        }
        unit 1 {
            family inet;
        }
    }
}
routing-options {
    static {
        route 10.1.0.0/16 {
            next-hop st0.0;
            qualified-next-hop st0.1 {
                preference 100;
            }
            preference 50;
        }
        route 0.0.0.0/0 {
            next-hop 212.248.11.1;
            qualified-next-hop 213.33.222.157 {
                preference 100;
            }
            preference 50;
        }
    }
}
security {
    ike {
        traceoptions {
            file size 1m;
            flag policy-manager;
            flag ike;
            flag routing-socket;
            flag all;
        }
        proposal ike-proposal {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm md5;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy ike-policy {
            mode main;
            proposals ike-proposal;
            pre-shared-key ascii-text "** CUT **";
        }
        gateway ike-gate1 {
            ike-policy ike-policy;
            address 178.159.249.90;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface fe-0/0/2;
        }
        gateway ike-gate2 {
            ike-policy ike-policy;
            address 178.159.249.90;
            dead-peer-detection {
                interval 10;
                threshold 3;
            }
            external-interface fe-0/0/3;
        }
    }
    ipsec {
        vpn-monitor-options;
        proposal ipsec_proposal {
            protocol esp;
            authentication-algorithm hmac-md5-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy sofline-policy {
            perfect-forward-secrecy {
                keys group2;
            }
            proposals ipsec_proposal;
        }
        vpn ike-vpn1 {
            bind-interface st0.0;
            ike {
                gateway ike-gate1;
                proxy-identity {
                    local 192.168.0.0/22;
                    remote 10.1.0.0/16;
                    service any;
                }
                ipsec-policy sofline-policy;
            }
            establish-tunnels immediately;
        }
        vpn ike-vpn2 {
            bind-interface st0.1;
            ike {
                gateway ike-gate2;
                proxy-identity {
                    local 192.168.0.0/22;
                    remote 10.1.0.0/16;
                    service any;
                }
                ipsec-policy sofline-policy;
            }
            establish-tunnels immediately;
        }
    }
Distinguished Expert
dfex
Posts: 707
Registered: ‎04-17-2008
0

Re: SRX 210 Failover IPSEC Policy Based tunnel with 2 ISP

I notice you are using two ethernet interfaces to your ISPs - what are you doing to test fail-over?  Unplugging them, or failing something upstream?

 

I have used this method with two PPP links before (one over DSL, the other via 3G card).  I have the 3G link set as a backup link to the ADSL, so it only comes up when the DSL goes down, and the backup VPN only comes up when the 3G is up.

 

It would be good to see the output of "show route" when both links are up, and then again when the primary link has failed.

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.