Configuration Library
Configuration Library

ScreenOS - Policy VPN with Dual WAN Auto-Failover

[ Edited ]
‎03-26-2011 11:13 AM

Product: ScreenOS SSG Series

Version: 6.2 (Tested) features show in 6.0 and up

Network Topology:

See network diagram:

Two sites connected by VPN with one site having two internet access connections.  They connect using policy based VPN.  

Description:

This configuration has a redundant internet link on one side of a policy based vpn connection.  The creation of two gateways and a group allows for failover between the two links and setting one as the priority link.

 

  1. Create a VPN Group
  2. Configure two gateways, one for each outbound interface
  3. Configure an AutoKey IKE for each of the gateways and select the VPN group designating the primary connection with the higher priority number.
  4. Configure the Policy using the VPN tunnel option and associate this with the VPN group


1. Create VPN Group:
This allows the two circuits connections to be treated as a single device to the VPN tunnel policy.


CLI
set vpn-group id 1

Web
VPNs – AutoKey Advanced – VPN Groups
New


2. Configure two Gateways
Create a gateway for each of the two outbound interfaces


CLI
set ike gateway Primary-GW address 2.2.2.2 Main outgoing-interface "ethernet0/0" preshare Juniper== sec-level standard

set ike gateway Backup-GW address 2.2.2.2 Main outgoing-interface "ethernet0/1" preshare Juniper== sec-level standard
 
Web
VPNs – AutoKey Advanced – Gateway
New and select the correct interface for each on the advanced page

3. Configure AutoKey IKE

Create IPSEC object on each gateway and place into group
set vpn RemotePrimary gateway Primary-GW no-replay tunnel idletime 0 sec-level standard
 
set vpn-group id 1 vpn RemotePrimary weight 10

set vpn RemoteSecondary gateway Secondary-GW no-replay tunnel idletime 0 sec-level standard
set vpn-group id 1 vpn RemoteSecondary weight 1

Web
VPNs – AutoKey IKE
New select the correct gateway on the opening page
select the group on the advanced tab and set priority (higher is Primary)

4. Configure Policy Tunnel

The tunnel will associate with the group and can use either circuit connection but will prefer the higher priority one first.


CLI
set address Trust LocalLAN 10.0.1.0 255.255.255.0
set address Untrust RemoteLAN 10.0.2.0 255.255.255.0
set policy name RemoteVPN from Untrust to Trust  RemoteLAN LocalLAN ANY tunnel vpn-group 1  
set policy name RemoteVPN from Trust to Untrust  LocalLAN RemoteLAN ANY tunnel vpn-group 1  

Web
Policies – Policy Objects – Addresses – List
Create Remote LAN address in Untrust zone
Create Local LAN address in trust zone

Policies – Policy
Create trust to untrust policy and check the box to create a matching policy
Select tunnel and select the VPN group

Verification:

Confirm SA is up


CLI
get sa

Web
VPNs – Monitor Status

Disconnect the primary ethernet cable and confirm the failover occurs

References:

ScreenOS Concepts & Examples Guides

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html

Concepts & Examples Guide

Volume 5 Virtual Private Networks

Chapter 3 VPN Guidelines

Chapter 4 VPN: Sit-to-site VPN Configurations

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home

Attachments

7 REPLIES 7
Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎12-01-2011 02:38 PM

tolulopeo@caspian-s… wrote:

thats the same link you sent earlier.

 

the third step which is configuring the autokey ike is not clear enough.

 

kindly look through. Also how many tunnel interfaces am i to create.

 

thanks



In step three you are creating the Autokey IKE for both the primary and secondary gateways you have created in the previous steps.

 

On the advanced settings you assign these two Autokey IKE objects to the group you created eariler.

 

This makes these two complete VPN objects a pair and only one will be used at a time.  Which one is considered primary is set by that priority number, higher priority wins.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎08-10-2012 01:56 AM

Can i apply the same configuration for a remote VPN?

Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎08-10-2012 04:22 AM

Yes, both sides can configure a dual gateway failover as listed.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎05-29-2014 02:32 PM

Is it possible to do VPN Groups with Route-based VPNs? 

Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎05-30-2014 01:44 PM
Is it possible to do VPN Groups with Route-based VPNs? 

 Unfortunately, VPN Groups only work with policy based vpn connections.

 

For route based vpn, you can use routing preference to choose one tunnel over another and failover when the vpn tunnels fail.  I have an example with OSPF posted in the configuration library below.  But you could also do this with static routes to the tunnel interfaces with different preferences.

 

http://forums.juniper.net/t5/Configuration-Library/ScreenOS-Dual-WAN-VPN-with-OSPF/m-p/82768#M241

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎12-10-2014 07:09 PM

Thanks for this informative article.  It helped me.  I think I may have noticed one or two small typos.

 

Shouldn't the following line in step 3:

 

set vpn RemoteSecondary gateway Primary-GW no-replay tunnel idletime 0 sec-level standard

 

Actually say Secondary-GW not Primary-GW?  Like so:

 

set vpn RemoteSecondary gateway Secondary-GW no-replay tunnel idletime 0 sec-level standard

**************

And shouldn't the following line in step 4:

 

set policy name RemoteVPN from Untrust to Trust  LocalLAN ClinicLAN ANY tunnel vpn-group 1  

 

Have the LocalLAN address be the destination address not the source address?  And shouldn't RemoteLAN be used as the source address?  ClincLAN is not a defined address in this example and RemoteLAN is.  So that line would read:

 

set policy name RemoteVPN from Untrust to Trust  RemoteLAN LocalLAN ANY tunnel vpn-group 1  

 

Just a thought.

 

Thanks again for your hard work on this.  It was helpful information.

 

 

Configuration Library

Re: ScreenOS - Policy VPN with Dual WAN Auto-Failover

‎12-11-2014 02:57 PM

Thanks for the note capturing my errors, I've updated the orginal so they are all now correct.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home