SRX Services Gateway
Highlighted
SRX Services Gateway

Full mesh IPSec VPN and OSPF

‎07-02-2014 05:36 PM

I'm labbing up some full mesh IPSec VPN situations and running OSPF between all nodes.

I've just done basic route-based VPN with a seperate tunnel interface for each connection.

 

The problem is asymetric routing, If one tunnel goes down, OSPF will re-route without a problem but there is no gurantee that each SRX will choose the same path, so routing will be asymetric.

 

Is there a better way to do full mesh ipsec VPNs on SRX? I can't find much Juniper doco.

Perhaps multipoint interfaces would help? 

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Full mesh IPSec VPN and OSPF

‎07-02-2014 07:28 PM
Configure st0 interface as multipoint.

NHTB will take care of routing into different tunnels.

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/vpn-hub-spoke-nhtb-example-configurin...
regards,
Avd
JNCIE-SEC #320

Please Mark My Solution Accepted if you think it helped!
Highlighted
SRX Services Gateway

Re: Full mesh IPSec VPN and OSPF

‎07-02-2014 08:49 PM

The article looks to be for hub and spoke.

I want to do full mesh between 5 or more SRX devices.

 

Can I do multipoint interfaces on all of the SRXs without and issue?

Highlighted
SRX Services Gateway

Re: Full mesh IPSec VPN and OSPF

‎07-02-2014 10:02 PM
It also applies for full mesh.
Every node becomes a hub
regards,
Avd
JNCIE-SEC #320

Please Mark My Solution Accepted if you think it helped!
Highlighted
SRX Services Gateway

Re: Full mesh IPSec VPN and OSPF

‎07-03-2014 02:12 PM

I had a full mesh setup using the old ScreenOS that experienced the same issue during failure scenarios.  Because the metrics were the same for multiple paths, the traffic could run asymetrically when particular links were down.

 

I ended up chosing one site as a "primary" site.  The connections to this site were pegged as a smaller cost that all the other links.  But a direct link was still the best.

 

This made the two hop link through this site preferred over any other two hop link and kept traffic going in the same paths.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Full mesh IPSec VPN and OSPF

‎07-04-2014 03:53 PM

I thinnk that you should use slightly different link costs (the same on both ends of the link, but different for different links) to get a deterministic path selection and avoid asymetrical routing.

Multipoint (NHTB) will make your design cleaner but IMO it will not solve any of the asymetry problems. You will stil need dynamic or static routing and, consequently, you will have to solve the path selection problem.


NHTB will NOT take care of routing, it will take care of forwarding packets into different tunnels USING the information from the routing table. And that information must come from somwhere - from some dynamic routing protocol (usually ospf) or manual config (static).

 

Plz see: http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/vpn-hub-spoke-nhtb-example-overview.h...

 

Multipoint is a good idea anyway - but it does not solve your original problem.

 

Regards,

Pawel Mazurkiewicz

[JNCIP-SEC, JNCIS-ENT, MCSA/MCITP]

Highlighted
SRX Services Gateway

Re: Full mesh IPSec VPN and OSPF

‎07-06-2014 02:07 AM

Hi Luca,

 

I can give you one solution but it has one drawback if you are ok with it, it will fix your problem

 

Using source NAT interface for the VPN traffic will force your traffic to go back again to same path and avoid asymetric routing. The only drawback you hiding your real IP so not able to use policy for specific user in the remote site for example.

 

- If u put all st0 interfaces on one security zone (for example VPN zone).

 

so u need to configure source NAT interface from the trust --> to VPN zone

allowing one each site security policy for st0 interfaces IPs to access LAN. from VPN zone to trust zone.

 

and no more asymetric routing.

 

Regards,

Mohamed Elhariry

2* JNCIE ( SEC # 159, SP # 1059)

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Feedback