09-30-2010 02:59 AM
i had a scenario where
site A -->SRX 650 [ WAN ip A] --tunnel to site B------> | pubic internet | ----tunnel to site A---> [WAN ip B] srx 650 -->site B
[WAN ip C] --tunnel to site B------> | |-----tunnel to site A---->[WAN ip D]
is it possible that SRX 650 can support load balancing dual vpn tunnel in this scenario ? if yes, please paste the link to the documention for this configuration ?
05-04-2012 04:31 AM
Do you mean a route-based or a policy-based VPN? I would imagine that route-based would be fairly simple as the VPN is seen as any other interface. Policy-based is very tricky and i'm currently struggling with this myself.
05-09-2012 07:51 AM
If you have dual route-based VPN tunnels then yes, I think you could load-balance as you can use routing protocols across these (or static routes) and distribute the traffic how you want.
If you have >= JunOS 11.4 you can create a policy-based VPN and also run routing over this. Because it's policy-based though, i'm not sure how you could load-balance as it will only allow the specification of a single VPN in the policy.
If, for instance, you were to use two zones, one for each VPN then you could probably do this.
VPN A gateway 10.1.1.1
VPN B gateway 10.2.2.2
zone A -> policy from local to remote subnet use VPN A
zone B -> policy from local to remote subnet use VPN B
BGP sessions over both VPNs from junos-host to remote router, the remote zone will be determined based on the prefixes received. eg if you receive 192.168.1.0/24 from A and 192.168.2.0/24 from B then traffic to 192.168.1.0/24 will use zone, policy and VPN B. Obviously you load-balance across these how you want to.
This last part is conjecture from me so maybe someone else can suggest whether they think it would work.