03-12-2009 08:13 AM
03-12-2009 08:49 AM - edited 03-12-2009 08:52 AM
I'd stay away fron redundant gateways as far as I could if I where you. They only work (a litle) with policy based VPN's. And you're using routebased VPN's. So let the routing do the work for you!
Configure two VPN's, one to first location, one to the other. If using static routes set pref or metric value higher to the tunnel int bound to backup VPN. Use VPN monitoring on the first (ajust vpnmonitor interval and threshold to reasonable value) . When primary VPN goes down, tunnel int goes down because of the monitoring. If outgoing interface goes down the prefered route goes inactive (don't use permanent option!), Second route (to your backup vpn's tunnel int) becomes active and voila!
If you want to use OSPF: You don't need the monitoring then. Configure the two VPN's. Use numberder interface (you allready doing that ofcourse, otherwise you couldn't use MIP's on the tunnel interfaces). enable OSPF and overwrite on interface level the cost calculation for the route to the destination, making the route via backup more expensive.
The firewall at you're customers site won't have a clue that the two same routes presented by ospf are not on the same location. Will chose the better path as active. When ospf fails on the primary link (VPN gone) the second one will become active.
This approach (didn't give all the details, ask for specifics if parts aren't clear) give way more flexilibilty then policybased with rdendant gateways!
03-12-2009 09:04 AM
Thank you very much for the detailed answer and advice, I'll try to stay away from the redundant gateways. The issue is that I'm managing the location with the two netscreens and the customer will be managing his netscreen. In other words you are describing the configuration on our customer's side and yes it should be easy (if the customer uses Juniper)
I still don't know how to properly route the MIP range on the internal network so that I route the traffic to the netscreen that have the active tunnel, hope it clearer now
03-12-2009 11:41 AM
03-16-2009 04:16 AM
Thanks Screenie, I believe I got the idea now
Do you think there is a change to make this work with different vendors? I mean netscreen on our side and lets say Cisco PIX or Check Point on the customer's side?
03-16-2009 04:20 AM