04-08-2009 08:27 AM
In this case the IP address of the branch office Netscreen is intended to change, now using the Public IP address of the DSL interface, but the main office Netscreen’s IP would remain the same.
I’ve set this up by:
- Creating a second unnumbered tunnel interface bound to the loopback used for all the VPNs on each side
- Creating a second IKE Gateway and VPN bound to the new tunnel interface
- Creating higher preference (less likely to be used) routes pointing to the second tunnel
The branch office Netscreen learns its default route via BGP and has a higher preference default route pointing out the DSL gateway address.
When I shutdown the connection to the upstream router in the branch office (cutting it off from BGP) the second VPN does not come up. Further troubleshooting showed the primary tunnel interface on both sides continued to show as ready and I was expecting it to go down. Since the interface stayed ready it doesn’t look like the higher preference routers we used.
I confirmed that each firewall was able to ping each other using the DSL interface, so I know routing isn’t an issue.
Does anyone have any suggestions on getting this working, am I going about it the wrong way, or just missed some feature I need to enable or config I need to change?
04-08-2009 09:13 AM
when you build VPN redendent you should to set tree componenet
Monitro VPN groupe and target
can you try if you can disable "SYN Checking in tunel interface" and see the behavior conneciotn
personal mail: email@example.com
04-08-2009 02:34 PM - edited 04-08-2009 02:36 PM
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.