ScreenOS Firewalls (NOT SRX)
Reply
sam
Contributor
sam
Posts: 19
Registered: ‎02-27-2008
0

redundant VPN gateways

We have a netscreen (NS-500) where we terminate site to site tunnels from third parties, we use route based VPNs and do source NAT (MIP) on the netscreen. The customers IP is translated to the MIP when entering our network and when we want to connect to the customer we connect to the MIP address

Everything works fine but now we want to introduce another netscreen at the disaster recovery site (different physical location, different ISP) or what is described as "redundant VPN gateways" in the guide.

I understand that the customer would need to make some modifications on his side to support backup tunnel (Juniper calls this VPN group, not sure this is possible on Cisco routers / firewalls and check points) but the problem we have is that we want use the same MIPs on both firewalls (primary and disaster recovery) as this is the destination our servers connect to

We will have to use dynamic routing in a way that the primary netscreen would have to advertise the MIP range of customer A to our internal network only when the tunnel with customer A is active. What is the best way to do so? Having dynamic routing with the customer is not an option

Thanks
Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: redundant VPN gateways

[ Edited ]

Hi Sam,

 

I'd stay away fron redundant gateways as far as I could if I where you. They only work (a litle) with policy based VPN's. And you're using routebased VPN's. So let the routing do the work for you!

 

Configure two VPN's, one to first location, one to the other. If using static routes set pref or metric value higher to the tunnel int bound to backup VPN. Use VPN monitoring on the first (ajust vpnmonitor interval and threshold to reasonable value) . When primary VPN goes down, tunnel int goes down because of the monitoring. If outgoing interface goes down the prefered route goes inactive (don't use permanent option!), Second route (to your backup vpn's tunnel int) becomes active and voila!

 

If you want to use OSPF: You don't need the monitoring then. Configure the two VPN's. Use numberder interface (you allready doing that ofcourse, otherwise you couldn't use MIP's on the tunnel interfaces). enable OSPF and overwrite on interface level the cost calculation for the route to the destination, making the route via backup more expensive.

 

The firewall at you're customers site won't have a clue that the two same routes presented by ospf are not on the same location. Will chose the better path as active. When ospf fails on the primary link (VPN gone) the second one will become active.

 

This approach (didn't give all the details, ask for specifics if parts aren't clear) give way more flexilibilty then policybased with rdendant gateways!

Message Edited by Screenie on 03-12-2009 04:52 PM
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
sam
Contributor
sam
Posts: 19
Registered: ‎02-27-2008
0

Re: redundant VPN gateways

Hi Screenie,

 

Thank you very much for the detailed answer and advice, I'll try to stay away from the redundant gateways. The issue is that I'm managing the location with the two netscreens and the customer will be managing his netscreen. In other words you are describing the configuration on our customer's side and yes it should be easy (if the customer uses Juniper)

 

I still don't know how to properly route the MIP range on the internal network so that I route the traffic to the netscreen that have the active tunnel, hope it clearer now

 

Thanks again

Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: redundant VPN gateways

I think you can just create a static route (with the MIP's prefix) to /dev/null and routemap it to ospf. The route will presented to the peer, using the different costs of the tunnels. Traffict will not be routed, but translated by the MIP.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
sam
Contributor
sam
Posts: 19
Registered: ‎02-27-2008
0

Re: redundant VPN gateways

Thanks Screenie, I believe I got the idea now

 

Do you think there is a change to make this work with different vendors? I mean netscreen on our side and lets say Cisco PIX or Check Point on the customer's side?

 

 

Distinguished Expert
Screenie
Posts: 1,076
Registered: ‎01-10-2008
0

Re: redundant VPN gateways

Sure, OSPF is vendor independent. You're just presenting routes to the other side! Other side must support ospf of course.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.