SRX Services Gateway
Reply
Lim
Contributor
Lim
Posts: 25
Registered: ‎10-06-2008
0

load balance dual ipsec vpn tunnel between 2 site

Hi all,

 

i had a scenario where

 

                                                                                                ____________

site A -->SRX 650 [ WAN ip A]  --tunnel to site B------> | pubic internet | ----tunnel to site A---> [WAN ip B] srx 650 -->site B

                                 [WAN ip C]  --tunnel to site B------> |                           |-----tunnel to site A---->[WAN ip D]

                                                                                                 --------------------

 

is it possible that SRX 650 can support load balancing dual vpn tunnel in this scenario ? if yes, please paste the link to the documention for this configuration ?

 

thank you

 

 

 

 

 

 

 

 

Visitor
im_spartacus
Posts: 2
Registered: ‎04-11-2012
0

Re: load balance dual ipsec vpn tunnel between 2 site

Do you mean a route-based or a policy-based VPN? I would imagine that route-based would be fairly simple as the VPN is seen as any other interface. Policy-based is very tricky and i'm currently struggling with this myself.

 

I'm Spartacus!

I'm Spartacus!
Visitor
srikanthsingireddy
Posts: 9
Registered: ‎02-02-2012
0

Re: load balance dual ipsec vpn tunnel between 2 site

Looking for a reply on this . Can we actualy load balance between redundant VPN tunnels?

Visitor
im_spartacus
Posts: 2
Registered: ‎04-11-2012
0

Re: load balance dual ipsec vpn tunnel between 2 site

If you have dual route-based VPN tunnels then yes, I think you could load-balance as you can use routing protocols across these (or static routes) and distribute the traffic how you want.

 

If you have >= JunOS 11.4 you can create a policy-based VPN and also run routing over this. Because it's policy-based though, i'm not sure how you could load-balance as it will only allow the specification of a single VPN in the policy.

 

If, for instance, you were to use two zones, one for each VPN then you could probably do this.

 

eg

VPN A gateway 10.1.1.1

VPN B gateway 10.2.2.2

 

zone A -> policy from local to remote subnet use VPN A

zone B -> policy from local to remote subnet use VPN B

 

BGP sessions over both VPNs from junos-host to remote router, the remote zone will be determined based on the prefixes received. eg if you receive 192.168.1.0/24 from A and 192.168.2.0/24 from B then traffic to 192.168.1.0/24 will use zone, policy and VPN B. Obviously you load-balance across these how you want to.

 

This last part is conjecture from me so maybe someone else can suggest whether they think it would work.

I'm Spartacus!
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.