Screen OS

last person joined: 7 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  VPN, FW with two serial interfaces

    Posted 10-28-2008 03:59
      |   view attached
    Hello Everybody!

    I am in the design phase of a project. I attached the designed topology.

    The ISP of my customer is going to give 2 x 2 Mbps leased line with X.21 interfaces to the HQ.
    To handle this I am going to offer SSG-20-SH + 2 × JXM-1SERIAL-S + 2 x JX-CBL-X21-DTE.
    There will be ADSL Internet connections in the branch offices, so I am going to offer SSG-5-SB.

    All Internet connections will have fix, public IP addresses.
    However I am not sure how can I terminate IPSec site-to-site VPNs between HQ and 12 + 1 branch offices.
    I think that I need 3 public IP addresses to the HQ: one for each serial interfaces and one for a loopback interface.

    Is it possible to use the public IP address of the loopback interface for VPN initiation and termination?
    I think I have to configure ECMP to use both links at the same time. How would it impact VPN operation?

    Any idea, suggestions, references would be appreciated.

    Thanks in advance,
    Tamas


  • 2.  RE: VPN, FW with two serial interfaces

    Posted 10-28-2008 09:03

    Hi,

     

    just make 2 vpn's from remote to the 2 ip address of your isp's. these vpns are routebased so you can have first route to T1 and a backup route to T2.

     

    for outgoing traffic, becarefull with ecmp. (because it is packetbased routting if i aint mistaking!) This means that some applications have problems with it. (source ip will change).

     

    Maybe its better to use PBR and loadshare your traffic like this.

     

    GreetZ,

    Frac



  • 3.  RE: VPN, FW with two serial interfaces

    Posted 10-28-2008 09:16

    Hello Frac!

     

    I thought about it, but:

    1. It seems to me that I have to configure policy-based VPNs on remote sites and route-based on HQs. There is a backup HQ and we have to manually "switch" VPNs to it in case of primary HQ disaster. I'm sorry, but it is too hard to explain the background and the cons. In case of policy-based VPNs I can do the "switching" with two clicks: inactivate VPN policy to HQ and activate VPN policy to backup HQ.

     

    2. In Cisco router world I can use the loopback method and in this case I do not have to care about line problems. Each remote site always send VPN traffic to HQ's loopback and the routing between ISP and HQ router decides which physical link is used. I assume it is more elegant, than the other, in whoch case each remote site have to have 4 VPN policies.

     

    3. The main traffic will be RDP between remote sites and HQs, so I assume that ECMP do not bother this. However I do not have experience ECMP and IPSec VPN.


    If nobody tells me what is the best practice in my scenario, or how can I do that, I will do what you suggests.

     

     

    Thanks again.

    Tamas



  • 4.  RE: VPN, FW with two serial interfaces
    Best Answer

    Posted 10-29-2008 06:23

    Hello Everybody!

     

    I found another  possible solution.

    Bound two serial links to a virtual link with Multilink PPP. In this case I need only one public IP for ML PPP interface.

    And I bound tunnel interface to ML PPP interface. I hope VPN would work and "load balancing" will be handled by ML PPP also.

     

    Are there anybody how configured this? Are there any disadvantage of this  solution?

     

    Thanks in advance,

    Tamas