SRX Services Gateway
Reply
Contributor
ds1602
Posts: 64
Registered: ‎12-22-2011
0

SRX210 with CX111 Failover IPSec

Need a bit of assistance here. I'm setting up a SRX210 for a branch office. The branch has one ISP (DSL) connection. I got my hands on a CX111. I was attempting to use the CX111 as a failover connection utilizing the 3G USB stick. I followed the steps in the guide (http://www.juniper.net/us/en/local/pdf/app-notes/3500184-en.pdf). But the issue is the IPSec tunnels that aren't coming over with the failover. It seems that the issue is with the IKE gateway being set as static. I've looked around and couldn't fine anything that would resolve this. Any help would be greatly appreciated.

 

Here the IKE gateway data:

       gateway ike-gate-wsbc {
            ike-policy ike-policy-wsbc;
            address [ FirstEndPoint SecondEndPoint ];
            dead-peer-detection {
                interval 15;
                threshold 3;
            }
            external-interface ge-0/0/0.0;
        }
    }

 

Here's the routing information:

routing-options {
    static {
        route 0.0.0.0/0 next-hop PrimaryISP_GW;
        route 1.1.1.0/24 next-hop st0.0;
        route 2.2.2.0.0/24 next-hop st0.1;
        route 3.3.3.0/24 next-hop st0.2;
        route 4.4.4.0/24 next-hop st0.3;
        route 5.5.5.0/24 next-hop st0.4;
    }
}

 

The CX111 is plugged int fe-0/0/7 and is set in the UNTRUST zone.

Contributor
karlr
Posts: 37
Registered: ‎09-20-2010
0

Re: SRX210 with CX111 Failover IPSec

Can you describe the setup in more detail?

 

Do you have static IP over your primary DSL? I have used the CX111, but this was in a private network, so i used BGP to determine if the primary interface was up.

 

/Karl

Contributor
ds1602
Posts: 64
Registered: ‎12-22-2011
0

Re: SRX210 with CX111 Failover IPSec

This is a site to site VPN. The branch offices have static IP's from their providers.The central site has multiple IP's for Site to Site VPN termination.

 

 

Central Site --- WAN --- Internet --- SRX --- LAN

 

I was testing by checking an outside IP address. I was able to get it to failover the the CX111 as far as regular Internet traffic goes. But, none of the tunnels came with it. I was under the impression that the static mapping in the IKE was stopping the tunnels from dynamicly routing out the failover connection.

Contributor
karlr
Posts: 37
Registered: ‎09-20-2010
0

Re: SRX210 with CX111 Failover IPSec

[ Edited ]

I have tested this setup. So far i havent configured it to automatically determine if the primary interface is up, but i have a few different options.

 

My setup is:

Central device, SRX 650

fixed, public IP on ge-0/0/1.100 (1.1.1.1)

LAN = 10.10.10.0/24

Remote device, SRX100

fixed, public IP on fe-0/0/0.0 (2.2.2.2,

def-gw 2.2.2.1)

dynamic, public IP on fe-0/0/1.0 (connected to CX111)

LAN = 20.20.20.0/24

 

As you mentioned the ike gateway is bound to an interface. On the remote device i have 2 different interfaces, so in my tests i set up 2 different gateways, 2 ike-policies and 2 vpns. The vpns connectes 2 different security-tunnels to the different gateways. As the remote IP of the gateway is the same for both i used ike proxy-identity to separeate them. For the secondary tunnel i just used user-at-hostname to identify itself. I've had both tunnels working, but didn't really put the time in to automate a fail-over.

You should be able to have a ping-probe and a script that enable/disable the secondary interface and activate/deactivate the route for the remote Network. This would have to be done on both sides, and seems a bit complex.

 

One option that i have not tested is to configure 1 set of gateway, policy, vpn and st-interface. Use the same typ of ping-probe/script, but let the action be to change the external interface accosiated with the gateway. You would have to configure this to always be initiated from the remote site, as the IP might be unknown.

 

Just realised all this might not be useful for you at all.

 


Central device: interfaces st0 unit 666 { family inet; routing-options { static { route 20.20.20.0/24 next-hop st0.666; [edit security ike gateway GW-REMOTE] ike-policy IKE-REMOTE; dynamic user-at-hostname "secondary@domain.com"; dead-peer-detection { interval 10; threshold 3; } external-interface ge-0/0/1.100; [edit security ipsec vpn VPN-REMOTE] bind-interface st0.666; ike { gateway GW-SECONDARY-DYNAMIC; proxy-identity { local 10.10.10.0/24; remote 20.20.20.0/24; } ipsec-policy IPSEC-STANDARD; } Remote device: interfaces st0 unit 999 { family inet; routing-options { static { route 10.10.10.0/24 next-hop st0.999; [edit security ike gateway GW-CENTRAL] ike-policy IKE-CENTRAL; address 1.1.1.1; dead-peer-detection { interval 10; threshold 3; } local-identity user-at-hostname "secondary@domain.com"; external-interface fe-0/0/0.0; [edit security ipsec vpn VPN-CENTRAL] bind-interface st0.999; ike { gateway GW-CENTRAL; proxy-identity { local 20.20.20.0/24; remote 10.10.10.0/24; } ipsec-policy IPSEC-STANDARD; } on remote device: ping 2.2.2.1 (default gateway on fixed line) if fail -> "set security ike gateway GW-CENTRAL external-interface fe-0/0/1.0" -> commit...

 

 

regards,

Karl

Contributor
ds1602
Posts: 64
Registered: ‎12-22-2011
0

Re: SRX210 with CX111 Failover IPSec

Sorry for the delay. I've been pushed over to other projects. Now that those are done I'm able to follow-up on this.

 

The issue that I have at the branch location is that the IKE gateway is set to use external interface ge-0/0/0.0. When I try to use the 'set backup-options interface' I'm only able to use a dialup (dl0). Seeing that the CX111 is plugged into one of the fe-0/0/# or even ge-0/0/1 I can't use this backup option to route IPSEC traffic out the failover device.

 

How can this be worked around?

 

Branch office using SRX210H

Primary WAN interface - ge-0/0/0.0

CX111 interface - fe-0/0/7

 

IKE gateway settings:

gateway ike-gate-branch {
            ike-policy ike-policy-branch;
            address 4.4.4.4;
            external-interface ge-0/0/0.0;

 

 

Also, in the case where the branch is dynamic (dhcp WAN) then that makes for a bigger issue. It just wouldn't work. As stated by: http://forums.juniper.net/t5/SRX-Services-Gateway/SRX240-with-CX111-as-backup-WAN/td-p/34832

 

 

Visitor
jack.kelly
Posts: 2
Registered: ‎12-09-2010
0

Re: SRX210 with CX111 Failover IPSec

I am planning on attempting a similar configuration. In my config, I think I will use two separate vpn configurations, one for primary and one for secondary. each using its own tunnel interface. I will then use rpm scripts to change the route to prefer the other tunnel interface. I had this type of setup working in another office, but had to disable it because it was failing over too often, but that was not with a CX111 it was between two ethernet links. one going to a cable modem, the other to a DSL line. the cable modem being the preferred link. I have not found a way to make a single vpn declaration work for both interfaces.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.