Screen OS

I know that the answer is probably going to be no but I have this scenario: I have two different internet providers connected to the same SSG5 on one side into two different physical interfaces. The remote central location has one provider connected to one physical interface. I am using route based VPN tunnels with unnumbered interfaces I want to have two active route based VPN tunnels that use two separate providers (on the SSG5) but the VPN tunnel goes to the same remote gateway destination. Logically, it does not seem to be possible through routing without splitting everything into two virtual routers. I can have one or the other up by setting different preferences but that seems to be about all I can do. Is there any way to establish both VPN tunnels to the same destination at the same time without having to use virtual routers? The breakdown is obviously in the routing but I was hoping I could do something crazy like source routing to force traffic from one provider out its interface in order to reach the remote gateway but that did not get the traffic to flow correctly to allow both internet provider connections to establish the tunnel to the same gateway. I am so sorry if this seems confusing so please guide me to explaining correctly. My end goal is that I have one specific network destination that I want to route through a different internet provider than the rest. Problem is, it needs to go through a VPN tunnel to reach our central location. Having only one VPN tunnel active obviously does not meet my goal but conceptually, I don't know if there is a way for this to work without having to split into virtual routers and everybody yells at me when I mention those... Any advice? 🙂

Sorry, I am confused.

My end goal is that I have one specific network destination that I want to route through a different internet provider than the rest. 

 Could you lay out how this will work?  Destination based is how routing works on the tunnels so you should be able to point this special destination at tunnel A and the other destinations to Tunnel B.

Or do you mean a source at the the site will use tunnel A and all others use tunnel B?

Well, to clarify (hopefully), let's put it this way:

1. I have 2 separate internet providers at a spoke

2. I have a hub location with one internet provider (with one public IP assigned to one interface on the Juniper)

3. I want to have a Route-based VPN tunnel through both spoke internet providers to the same hub provider.

4. This will allow me to pass VPN traffic destined to different destination hub networks over different spoke providers.

So let's say I have one Comcast and one Frontier leased lines at the spoke with a private network of 10.0.3.0/24. There are two networks at the hub such as 10.0.1.0/24 and 10.0.2.0/24. I need communication between the hub and spoke to occur over route-based VPN tunnels. However, if the traffic is destined for 10.0.1.0/24, I want to route through a VPN tunnel established from the Comcast to the single internet provider at the hub. If the traffic is destined for 10.0.2.0/24 I would want the traffic routed through a VPN tunnel established from the Frontier line to the single internet provider at the hub.

It seems to me that it is not possible to have two simultaneously established VPN tunnels when they would be trying to establish a VPN with the same gateway IP at the same time. The reason being that in order to establish the tunnel, the destination routing table says if you are destined for the gateway IP (public IP of the hub) use this single interface (for example the interface connected to Comcast). If you try to establish another routing entry destined for the same gateway IP (public IP of the hub) over a different interface (such as the Frontier interface) it's obviously not going to keep both routes active to keep both VPN tunnels over both providers active.

I am so sorry for the confusion. I'm trying to express myself in the best way possible but I know it's probably coming across a little as gibberish. I'm just trying to confirm if my statements are correct and if there are any alternative ways to accomplish my goal (as restated) without having to split into two separate virtual routers.

Perfect, your post is very clear and helpful to understand the requirement; it is in the same lines as what I assumed in my earlier post.

This design is not a straightforward VPN design, at the same time - it is not impossible.

The primary issue is what you have highlighted in your post - only one default route will be active on the spoke. So, all VPN negotiations will happen only through one ISP. The way around this is to split the ISPs into their own routing domains ie., configure 2 VRs and bind each ISP to its own VR. Now, both ISP links and routes will be active at the same time.

Let us assume Comcast is in VR-A and Frontier is in VR-B.

Next ==> configure 2 VPNs, one through each ISP, pointing to the same peer - the hub. Create 2 tunnels, one in each VR and bind the VPNs to their respective tunnels.

Next step => Let us say 10.0.3.0/24 is a part of VR-A. Add a route in VR-A, saying to reach 10.0.1.0/24, use the tunnel in the same VR (Comcast). Add another route, to reach 10.0.2.0/24, go to VR-B.

In VR-B, add a route to 10.0.2.0/24, using the tunnel for Frontier.

The second issue: The hub side has no way to deteermine which tunnel to send the return traffic through, because the spoke subnet is always the same.

Some workarounds I can think of:

- perform bidirectional NAT-ing on the spoke on both tunnels, so hub can route traffic back easily

- disable reverse route lookup on the hub -> this is a global setting and can affect other traffic

- use source based routing on the hub, to choose tunnel.1 or tunnel.2 based on the source

The third concern: I would assume you would also want to achieve ISP redundancy i.e, if one ISP is down, route all traffic through the live ISP. If yes, then you can add more routes and modify the preference values.

Let me know if this helps..

Thank you so much for the detailed response! Unless there are any second opinions out there, your logic makes sense to me and I will accept it as an appropriate answer.

Hi,

Is your end goal something like:

- 10.0.0.0/24 is the central location LAN

- you want to reach 10.0.0.0/25 though ISP-A from local site

- 10.0.0.200/25 through ISP-B

Does this look right?

If yes, just add the related route (10.0.0.0/25 through tunnel.x and 10.0.0.222/25 route through tunnel.y). You can have both tunnels up at the same time, that will work.

If needed, you can add 2 more /24 route through both tunnels, with a lower preference. This will serve as a backup route, in case one of the ISPs is down.