Screen OS

Site A is our corporate office. It has two SSG5s in an HA, and terminates several VPN connections. I am using policy based VPNs.

Site B is a mobile unit that connects through a Satellite A, and a Satellite B (for backup).

When Site B loses Satelite A, we have a failover mechanism that routes traffic out Satellite B. However, we have to manually login to Site A SSG5 and change the priority of the Policy based VPN so the Site B Satellite B VPN policy takes precedence.

Can I resolve this manual switch over in Site A by using some other method of VPN?

Is there a Concepts and Example that covers such a configuration?

Thanks,

K

You could use VPN monitoring to monitor the connection.  Enabling rekey will remove the routes and SA when the VPN is unreachable.

For a Policy VPN you can program automatic failover using the group vpn feature.  I have a configuration example posted in the Configuration Library.

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Policy-VPN-with-Dual-WAN-Auto-Failover/m-p/82570#M238

Will either of these two options work when both Satelite A and B are using DHCP and NAT Traversal?

These Satellite ISP's don't have the option for a static public IP address.

K

Group vpn will work.  This puts the two gateways into a group and only uses one at a time.  You select which is primary when you setup the group.

All the other vpn settings like using aggressive mode and nat transversal are still available to each vpn individually.