12-29-2010 11:06 PM
I have a question about dual ISP VPN redundancy. I have srx with two ISP connected. From each ISP there is VPN connectin to the remote location. ISP failover is working with watch-default-route script. In normal situation both VPN's are up and when I unplug the cable from primary provider, everything is working OK. But in the situation when script triggers failover both VPN's fail and the the second VPN reconnects. Why is that happening? I think that the second VPN via second ISP should stay up.
Anyone has an idea?
12-30-2010 10:37 PM
I don't think it's a routing issue. Because, if I manually deactivate the primary route everything is working like it suppose to. Only when the script activates the failover, the I have a problem. I also started the ping from the secondary interface to it's default gateway, and when the scripts triggers, just stops to work.
When the script finishes, the everything starts to work.
12-31-2010 01:22 AM
Ok. I checked again, it seem that really is a routing issue. Looks like that ipsec sa's are established trough the primary link. I shold probably seperate the two ISP's in two different virtual routers to make this work. But I can't put ike gatewas into vr's bacause it's not supported. And what can I do now?
12-31-2010 02:45 AM - edited 12-31-2010 02:50 AM
Please be aware that even in JUNOS 10.4, the external-interface of a VPN must be in the default routing instance. Only the tunnel interface can be in a non-default routing instance (what is now officially supported with 10.4 but has still worked in older releases, for instance in 10.2 R3). The easiest solution is to install two /32 routes for the remote VPN endpoint, specifying their respective ISP router as next-hop. And of course verify that VPN2 specifies the external interface pointing to ISP2.
12-31-2010 06:09 AM
Why seperate into VRs?
You just need a static route to 'VPN2 peer Gateway' via the 'ISP2 Router'.
Using the following example:
ISP1: 126.96.36.199/24 gateway 188.8.131.52
ISP2: 184.108.40.206/24 gateway 220.127.116.11
VPN1 GW: 18.104.22.168
VPN2 GW: 22.214.171.124
route 126.96.36.199 via 188.8.131.52
route 184.108.40.206 via 220.127.116.11
01-03-2011 05:40 AM
This doesn't solve the problem. I have on central location on srx two tunnel endpoints via two ISP's and on the remote location one tunnel endpoint. If I enter the host route for tunnel endpoint via ISP2, then i have both IPSEC associations established over ISP2 link. Problem is because there is only one endpoint on the remote side.
What I would like to achieve is, that each vpn tunnel to the remote location is established over its own link.
01-03-2011 12:01 PM
gasper, take a look at KB15545, it might be the ticket you're looking for to split your routing over your two ISPs with failover.
01-04-2011 07:14 AM
Ah, your problem makes sense now.
You could possibly use PBR (or filter-based-forwarding in Junos lingo I think). I guess you would need to terminate the tunnel on a loopback interface though to force the traffic through the filter in order to get routed correctly.