SRX Services Gateway
SRX Services Gateway

Question about site to site vpn with two ISP on every site.

02.01.12   |  
‎02-01-2012 02:40 AM

Hi everyone,

we have to connect two site with a VPN, and we want to use the SRX220 appliances. We want to have full redundancy, so we are planning to have in both site two SRX220 configured with HA chassis cluster. We also want two internet connections to be able to keep internet connectivity, if one of the two links will not work for any reason (non routing protocols).

For what we know, we should also able to configure two VPN tunnels so one tunnel will use ISP1 and second tunnel ISP2,  this in both sites, to achieve VPN connections redundancy. Then using routing preferences and firewall filters we should be able to manage traffic in and out the VPN or maybe using a dynamic routing protocol using the two VPN links in both sites.

Can you confirm this architecture? Has somebody implemented this configuration? Any warnings?

 

Thank you in advance.

 

Strion.

6 REPLIES
Highlighted
SRX Services Gateway

Re: Question about site to site vpn with two ISP on every site.

02.06.12   |  
‎02-06-2012 08:15 AM

If you are planning to have two ISPs on both sites then you will have to create 4 ike gatreways and 4 vpns.

ISP1 local site to ISP1 remote site

ISP1 local site  to  ISP2 remote site

ISP2 local site to ISP1 remote site

ISP2 local site to IDP2 remote site

 

You can use route prefrence or qualified next-hop. You will also have to use vpn monitor to detect link failure.

 

Let me know if you have any Questions.

I

AJ
SRX Services Gateway

Re: Question about site to site vpn with two ISP on every site.

02.10.12   |  
‎02-10-2012 12:20 AM

Hi Ajay,

thank you for the answer. I was thinking quite the same, except that for reduced complexity, to biuld just two tunnels instead of four.

 

Strion.

SRX Services Gateway

Re: Question about site to site vpn with two ISP on every site.

08.06.14   |  
‎08-06-2014 04:43 AM

Hi Strion,

Please how did you get on with this?

I am looking at a similar implementation and want to know if this worked ok for you?

 

Regards,

Josh

SRX Services Gateway

Re: Question about site to site vpn with two ISP on every site.

08.06.14   |  
‎08-06-2014 06:04 AM

The implementation would be of two steps :

1. ISP failover

2. Subsequent VPN failover
Simple solution ould is to have :

ISP1 on Site A to establish VPN with ISP2 on site B --VPN1

ISP2 on Site A to establish VPN with ISP2 on site B--VPN2

Have ISP 2 on both ends as backup ISP

But for VPN peers right specific route through specific ISP.

Build both as route based tunnels.

Let us say the subnet behind Site A is A and Behind Site B is B

VPN1 is bound to st0.0

VPN2 is bound to st0.1

Write routes like below:

On Site A :

set routing-options static route B next-hop st0.0

set routing-options static route B qualified-next-hop st0.1 preference 10

set routing-options static route ISP-1-site-B next-hop ISP1

set routing-options static route ISP-2-site-B  next-hop ISP2

 

Regards,

c_r

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

 

SRX Services Gateway

Re: Question about site to site vpn with two ISP on every site.

08.07.14   |  
‎08-07-2014 11:56 PM

Yes, i also user multi path equal cost routing and ospf.

SRX Services Gateway

Re: Question about site to site vpn with two ISP on every site.

08.08.14   |  
‎08-08-2014 11:14 PM

Hi  strion,

Yes you need to configure 2 VPN configurations between these 2 devices.

ISP1 to ISP1
ISP2 to ISP2

Then you can play with dynamic routing protocols to route the traffic across primary link using cost meterics.

Also following KB article explains about dual iSP vpn scenario :

http://kb.juniper.net/InfoCenter/index?page=content&id=KB29227

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too