I have a question about dual ISP VPN redundancy. I have srx with two ISP connected. From each ISP there is VPN connectin to the remote location. ISP failover is working with watch-default-route script. In normal situation both VPN's are up and when I unplug the cable from primary provider, everything is working OK. But in the situation when script triggers failover both VPN's fail and the the second VPN reconnects. Why is that happening? I think that the second VPN via second ISP should stay up.
I don't think it's a routing issue. Because, if I manually deactivate the primary route everything is working like it suppose to. Only when the script activates the failover, the I have a problem. I also started the ping from the secondary interface to it's default gateway, and when the scripts triggers, just stops to work.
When the script finishes, the everything starts to work.
Ok. I checked again, it seem that really is a routing issue. Looks like that ipsec sa's are established trough the primary link. I shold probably seperate the two ISP's in two different virtual routers to make this work. But I can't put ike gatewas into vr's bacause it's not supported. And what can I do now?
Please be aware that even in JUNOS 10.4, the external-interface of a VPN must be in the default routing instance. Only the tunnel interface can be in a non-default routing instance (what is now officially supported with 10.4 but has still worked in older releases, for instance in 10.2 R3). The easiest solution is to install two /32 routes for the remote VPN endpoint, specifying their respective ISP router as next-hop. And of course verify that VPN2 specifies the external interface pointing to ISP2.
Regards,
Dominik
JNCIE et al.
-- The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
This doesn't solve the problem. I have on central location on srx two tunnel endpoints via two ISP's and on the remote location one tunnel endpoint. If I enter the host route for tunnel endpoint via ISP2, then i have both IPSEC associations established over ISP2 link. Problem is because there is only one endpoint on the remote side.
What I would like to achieve is, that each vpn tunnel to the remote location is established over its own link.
You could possibly use PBR (or filter-based-forwarding in Junos lingo I think). I guess you would need to terminate the tunnel on a loopback interface though to force the traffic through the filter in order to get routed correctly.
