ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
sam
Contributor
sam
Posts: 19
Registered: ‎02-27-2008
0

redundant VPN gateways

Options

‎03-12-2009 08:13 AM

We have a netscreen (NS-500) where we terminate site to site tunnels from third parties, we use route based VPNs and do source NAT (MIP) on the netscreen. The customers IP is translated to the MIP when entering our network and when we want to connect to the customer we connect to the MIP address

Everything works fine but now we want to introduce another netscreen at the disaster recovery site (different physical location, different ISP) or what is described as "redundant VPN gateways" in the guide.

I understand that the customer would need to make some modifications on his side to support backup tunnel (Juniper calls this VPN group, not sure this is possible on Cisco routers / firewalls and check points) but the problem we have is that we want use the same MIPs on both firewalls (primary and disaster recovery) as this is the destination our servers connect to

We will have to use dynamic routing in a way that the primary netscreen would have to advertise the MIP range of customer A to our internal network only when the tunnel with customer A is active. What is the best way to do so? Having dynamic routing with the customer is not an option

Thanks
Message 1 of 6 (6,348 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 945
Registered: ‎01-10-2008
0

Re: redundant VPN gateways

[ Edited ]
Options

‎03-12-2009 08:49 AM - edited ‎03-12-2009 08:52 AM

Hi Sam,

 

I'd stay away fron redundant gateways as far as I could if I where you. They only work (a litle) with policy based VPN's. And you're using routebased VPN's. So let the routing do the work for you!

 

Configure two VPN's, one to first location, one to the other. If using static routes set pref or metric value higher to the tunnel int bound to backup VPN. Use VPN monitoring on the first (ajust vpnmonitor interval and threshold to reasonable value) . When primary VPN goes down, tunnel int goes down because of the monitoring. If outgoing interface goes down the prefered route goes inactive (don't use permanent option!), Second route (to your backup vpn's tunnel int) becomes active and voila!

 

If you want to use OSPF: You don't need the monitoring then. Configure the two VPN's. Use numberder interface (you allready doing that ofcourse, otherwise you couldn't use MIP's on the tunnel interfaces). enable OSPF and overwrite on interface level the cost calculation for the route to the destination, making the route via backup more expensive.

 

The firewall at you're customers site won't have a clue that the two same routes presented by ospf are not on the same location. Will chose the better path as active. When ospf fails on the primary link (VPN gone) the second one will become active.

 

This approach (didn't give all the details, ask for specifics if parts aren't clear) give way more flexilibilty then policybased with rdendant gateways!

Message Edited by Screenie on 03-12-2009 04:52 PM
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 2 of 6 (6,342 Views)
 
Reply
sam
Contributor
sam
Posts: 19
Registered: ‎02-27-2008
0

Re: redundant VPN gateways

Options

‎03-12-2009 09:04 AM

Hi Screenie,

 

Thank you very much for the detailed answer and advice, I'll try to stay away from the redundant gateways. The issue is that I'm managing the location with the two netscreens and the customer will be managing his netscreen. In other words you are describing the configuration on our customer's side and yes it should be easy (if the customer uses Juniper)

 

I still don't know how to properly route the MIP range on the internal network so that I route the traffic to the netscreen that have the active tunnel, hope it clearer now

 

Thanks again

Message 3 of 6 (6,338 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 945
Registered: ‎01-10-2008
0

Re: redundant VPN gateways

Options

‎03-12-2009 11:41 AM

I think you can just create a static route (with the MIP's prefix) to /dev/null and routemap it to ospf. The route will presented to the peer, using the different costs of the tunnels. Traffict will not be routed, but translated by the MIP.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 4 of 6 (6,318 Views)
 
Reply
sam
Contributor
sam
Posts: 19
Registered: ‎02-27-2008
0

Re: redundant VPN gateways

Options

‎03-16-2009 04:16 AM

Thanks Screenie, I believe I got the idea now

 

Do you think there is a change to make this work with different vendors? I mean netscreen on our side and lets say Cisco PIX or Check Point on the customer's side?

 

 

Message 5 of 6 (6,258 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 945
Registered: ‎01-10-2008
0

Re: redundant VPN gateways

Options

‎03-16-2009 04:20 AM

Sure, OSPF is vendor independent. You're just presenting routes to the other side! Other side must support ospf of course.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 6 of 6 (6,256 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.