SRX Services Gateway
Highlighted
SRX Services Gateway

SRX active-active 2x IPSec VPN tunnels via 2xISPs to single destination (is this even possible!)

[ Edited ]
‎08-16-2018 02:02 AM

Hi All... i have been trying to create two active IPSec tunnels via two ISPs to another SRX with a single ISP connection, is this even possible?

 

              public ip x.x.x.x    st0.0------ISPA-------- st0.0

SRXA                                                                                      ISPZ public ip z.z.z.z  ----      SRXB

              public ip y.y.y.y    st0.1-------ISPB------ st0.1

 

the problem i have is with traffic routing out of SRXA it has to build two seperate IPSec tunnels to a single desination IP address.. It is obviously prefering a single egress interface via ISPA to build the IPSec tunnel to SRXB.... but is there a way to force traffic out via the other ISPB to build the second IPSec tunnel??

was thinking around source based routing etc.. but it would be for traffic sourced from the SRX itself and as we are using the same destination address it won't work..

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: SRX active-active 2x IPSec VPN tunnels via 2xISPs to single destination (is this even possible!)

‎08-16-2018 02:17 AM

Hello,

Yes, definitely possible since at least 2011

https://forums.juniper.net/t5/SRX-Services-Gateway/Cannot-get-multiple-IPsec-tunnels-working-on-SRX/...

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: SRX active-active 2x IPSec VPN tunnels via 2xISPs to single destination (is this even possible!)

‎08-16-2018 02:50 AM

 

thanks so seperate VRFs are requires to build the tunnels... this is basically to set up redundancy, so we have two IPSec tunnels always up with BGP running over them, then use BGP for determining which tunnel to use... though with the tunnels and BGP instances being in different VRFs, is this the best way to go?

Highlighted
SRX Services Gateway
Solution
Accepted by topic author test2000
‎03-25-2019 07:33 AM

Re: SRX active-active 2x IPSec VPN tunnels via 2xISPs to single destination (is this even possible!)

‎08-16-2018 03:00 AM

I agree as you note that since the remote side has a single ip address you will need to put the second ISP into a virtual router routing instance so that you can have both tunnels running at the same time.

 

You can then use logical tunnels to connect that virtual router to your main router and do the routing exchanges and priorities you prefer for the connection usage.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21260

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Feedback