12-29-2010 11:06 PM
I have a question about dual ISP VPN redundancy. I have srx with two ISP connected. From each ISP there is VPN connectin to the remote location. ISP failover is working with watch-default-route script. In normal situation both VPN's are up and when I unplug the cable from primary provider, everything is working OK. But in the situation when script triggers failover both VPN's fail and the the second VPN reconnects. Why is that happening? I think that the second VPN via second ISP should stay up.
Anyone has an idea?
12-30-2010 10:37 PM
I don't think it's a routing issue. Because, if I manually deactivate the primary route everything is working like it suppose to. Only when the script activates the failover, the I have a problem. I also started the ping from the secondary interface to it's default gateway, and when the scripts triggers, just stops to work.
When the script finishes, the everything starts to work.
12-31-2010 01:22 AM
Ok. I checked again, it seem that really is a routing issue. Looks like that ipsec sa's are established trough the primary link. I shold probably seperate the two ISP's in two different virtual routers to make this work. But I can't put ike gatewas into vr's bacause it's not supported. And what can I do now?
12-31-2010 02:45 AM - edited 12-31-2010 02:50 AM
Please be aware that even in JUNOS 10.4, the external-interface of a VPN must be in the default routing instance. Only the tunnel interface can be in a non-default routing instance (what is now officially supported with 10.4 but has still worked in older releases, for instance in 10.2 R3). The easiest solution is to install two /32 routes for the remote VPN endpoint, specifying their respective ISP router as next-hop. And of course verify that VPN2 specifies the external interface pointing to ISP2.
12-31-2010 06:09 AM
Why seperate into VRs?
You just need a static route to 'VPN2 peer Gateway' via the 'ISP2 Router'.
Using the following example:
ISP1: 188.8.131.52/24 gateway 184.108.40.206
ISP2: 220.127.116.11/24 gateway 18.104.22.168
VPN1 GW: 22.214.171.124
VPN2 GW: 126.96.36.199
route 188.8.131.52 via 184.108.40.206
route 220.127.116.11 via 18.104.22.168
01-03-2011 05:40 AM
This doesn't solve the problem. I have on central location on srx two tunnel endpoints via two ISP's and on the remote location one tunnel endpoint. If I enter the host route for tunnel endpoint via ISP2, then i have both IPSEC associations established over ISP2 link. Problem is because there is only one endpoint on the remote side.
What I would like to achieve is, that each vpn tunnel to the remote location is established over its own link.
01-03-2011 12:01 PM
gasper, take a look at KB15545, it might be the ticket you're looking for to split your routing over your two ISPs with failover.
01-04-2011 07:14 AM
Ah, your problem makes sense now.
You could possibly use PBR (or filter-based-forwarding in Junos lingo I think). I guess you would need to terminate the tunnel on a loopback interface though to force the traffic through the filter in order to get routed correctly.
01-04-2011 11:20 AM
You could perhaps modify it a bit to use "instance-type forwarding", which is filter-based forwarding (AKA policy-based routing). All of the interfaces live in the inet.0 table, so IKE, etc., works fine, and the use the newly-created route tables to make the routing decisions based on policies.
03-28-2011 11:36 PM
excuse me, I am not replying for the solution here, but actually wanted to implement same setup at our customer's place. Like customer has two different ISPs say ISP1 and ISP2 at central location, will be using SRX series firewall, and their remote branches would be using SSG5with only one ISP. Will be forming VPN tuneel from remote branch to central location. But want to implement automatice vpn failover if primary link goes down.....
I suppose you have the same setup, can you please explain how to achieve this?