Screen OS

Hello everyone,
I use a Juniper SSG140 to connect  to a remote office with a VPN
Using a policy-based vpn ssg140 because the device is connected to a third party device.

Should I implement a second VPN using a second backup line connected to a second interface Untrusted on SSG140,
but all the documentation I found only about backup on route based systems. 
To get around this I created two identical policy but which activate different two tunnels.
I thought of using a default policy by disabling the second policy and in case of fault on the first VPN,
manually disable the first policy and enable the second.
Is there a way to do it all automatically?
Help me giving me some ideas?

Please excuse me for my bad English
Thank you all.
Good day.

You can configure a VPN group that will do this for you.  This places the two VPN setups as a single object that you can associate the tunnel policy with.  These are the steps in the process.  Most of these are going to exist already as you describe the configuration above so you will just need to create the VPN group and associate the existing objects then remove the backup tunnel policy.

1-Create a VPN group
VPN -- AutoKey Advanced--VPN Group

2-Create the two Gateways for the remote site associated with the two different circuit interfaces

3-Create the two Autkey IKE objects, one associated with each gateway.  
On the advanced screen  select the VPN group on both objects
On the primary internet service object set the priority number to be "2" instead of the default 1.  The higher number is the preferred connection

4-Create the tunnel policy and use the VPN group as the Tunnel VPN that is associated with the policy

The two alternate paths will automatically failover with the higher priority one as the preferred connection.  Naturally the remote site will need to be aware of both gateway addresses to accept the tunnel connections from either.

Great !

Thank you very much Steve.

Hello Steve,
there is a problem,
Untrusted interface eth 0 / 8 on which the vpn go out , I i have set a DIP (DIP 4)  and i set a policy with enabled NAT, source Traslation,   DIP 4 on

Now when the system use the second line on Untrusted interface ETH 0 / 9 I do not know how to set the dip.
I tried to create a new dip on eth 0 / 9 with the same address used in the DIP interface ETH 0 / 8 but the system will not let me .

The policy do not accept two DIP
Is there a solution?

Please excuse my bad english
Thanks a lot
hello

I'm not sure I understand the correct direction of your policy.  But I think you have an inbound policy and dip on the primary interface to a server on the LAN.  And when the failover occurs you want to create a similar forward from the secondary public interface to the same server using one of those ip addresses.

If this is correct, then I think the simplest solution is to assign a second internal ip address to the server for use as the destination of the second interface.  You can put this onto the NIC of the server and both can cooexist fine.  Then you will not have the overlap issue in creating the policy.

In simple words:

in my network (eg 192.168.0.x) any computer that has to contact the remote server through the VPN, you must submit with a single address eg. 10.205.4.2
To do this I created a DIP (DIP4) on Untrusted interface eth0/8 and I set the policy that creates the tunnel
NAT Source Translation, which refers to the source DIP4.
I also create a DIP (DIP5) on untrusted interface eth0/9 what  I want to use if eth0/8 Fail
I can not create the DIP5 the same ip address dip4 on my SSG140, then use another IP address (eg 10.204.4.2)

In the policy that routes requests to the remote server through the vpn tunnel,
I use the VPN group as the VPN Tunnel That Is Associated with the policy (as mentioned in previous posts by Steve)
but i can only use the dip4 Untrusted interface eth0/8 and not the dip5 on interface Untrusted
eth0/9.

In this way, it is not possible to automate the creation of the vpn interface 0 / 9 if the interface 0 / 8 Fail

I think I understand the issue now.

I did a short test in the lab and I think your solution is to create the dip on your trust internal interface where the 192.168.0.x addresses are located instead of on the untrust one.

Then use this dip on the vpn policy object and it will work for both tunnel connections.

>I did a short test in the lab and I think your solution is to create the dip on your trust internal interface where the >192.168.0.x addresses are located instead of on the untrust one.

>Then use this dip on the vpn policy object and it will work for both tunnel connections.

Hi Spuluka,

I tried to do what you told me, but the dip on my trust internal interface not work.

Is it required additional configuration?

To be more clear, we simplify the configuration

Es.    external untrust interface ip is 10.0.0.1  ,    internal trust interface is 192.168.1.1

the goal is to connect all the PCs on trust zone with a single  ip address (es.  10.208.32.108) to the remote pc through vpn.

Normally to do this, i create a dip 10.208.32.108 on Untrusted interface.

You can do it on trust interface?

Why not work?

Thanks again for your patience

Giuseppe

You can create a dip on any interface.  In your situation you cannot use a dip on the untrust interface because when the failover occurs you will be on the other interface.  By creating the dip on the trust interface you don't have this issue during the failover process.