SRX Services Gateway
SRX Services Gateway

srx vpn redundancy

12.29.10   |  
‎12-29-2010 11:06 PM

Hello.

 

I have a question about dual ISP VPN redundancy. I have srx with two ISP connected. From each ISP there is VPN connectin to the remote location. ISP failover is working with watch-default-route script. In normal situation both VPN's are up and when I unplug the cable from primary provider, everything is working OK. But in the situation when script triggers failover both VPN's fail and the the second VPN reconnects. Why is that happening? I think that the second VPN via second ISP should stay up.

 

Anyone has an idea?

12 REPLIES
SRX Services Gateway

Re: srx vpn redundancy

12.30.10   |  
‎12-30-2010 04:40 AM

It sounds like you are routing to the second VPNs peer gateway via the first ISP link...

SRX Services Gateway

Re: srx vpn redundancy

12.30.10   |  
‎12-30-2010 10:37 PM

I don't think it's a routing issue. Because, if I manually deactivate the primary route everything is working like it suppose to. Only when the script activates the failover, the I have a problem. I also started the ping from the secondary interface to it's default gateway, and when the scripts triggers, just stops to work.

 

When the script finishes, the everything starts to work.

SRX Services Gateway

Re: srx vpn redundancy

12.31.10   |  
‎12-31-2010 01:22 AM

Ok. I checked again, it seem that really is a routing issue. Looks like that ipsec sa's are established trough the primary link. I shold probably seperate the two ISP's in two different virtual routers to make this work. But I can't put ike gatewas into vr's bacause it's not supported. And what can I do now?

SRX Services Gateway

Re: srx vpn redundancy

[ Edited ]
12.31.10   |  
‎12-31-2010 02:45 AM

Please be aware that even in JUNOS 10.4, the external-interface of a VPN must be in the default routing instance. Only the tunnel interface can be in a non-default routing instance (what is now officially supported with 10.4 but has still worked in older releases, for instance in 10.2 R3). The easiest solution is to install two /32 routes for the remote VPN endpoint, specifying their respective ISP router as next-hop. And of course verify that VPN2 specifies the external interface pointing to ISP2.

 

Regards,

Dominik

JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Highlighted
SRX Services Gateway

Re: srx vpn redundancy

12.31.10   |  
‎12-31-2010 06:09 AM

Why seperate into VRs?

You just need a static route to 'VPN2 peer Gateway' via the 'ISP2 Router'.

 

Using the following example:

ISP1: 1.1.1.0/24 gateway 1.1.1.254

ISP2: 2.2.2.0/24 gateway 2.2.2.254

 

VPN1 GW: 81.1.1.1

VPN2 GW: 81.2.2.2

 

route 81.1.1.1 via 1.1.1.254

route 81.2.2.2 via 2.2.2.254

 

Sam.

SRX Services Gateway

Re: srx vpn redundancy

01.03.11   |  
‎01-03-2011 05:40 AM

This doesn't solve the problem. I have on central location on srx two tunnel endpoints via two ISP's and on the remote location one tunnel endpoint. If I enter the host  route for tunnel endpoint via ISP2, then i have both IPSEC associations established over ISP2 link. Problem is because there is only one endpoint on the remote side.

 

What I would like to achieve is, that each vpn tunnel to the remote location is established over its own link.

SRX Services Gateway

Re: srx vpn redundancy

01.03.11   |  
‎01-03-2011 12:01 PM

gasper, take a look at KB15545, it might be the ticket you're looking for to split your routing over your two ISPs with failover.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
SRX Services Gateway

Re: srx vpn redundancy

01.04.11   |  
‎01-04-2011 05:20 AM

I allready checked that KB, but if I use this solution, there is problem, becouse IKE is not supported in custom VR.

SRX Services Gateway

Re: srx vpn redundancy

01.04.11   |  
‎01-04-2011 07:14 AM

Ah, your problem makes sense now.

 

You could possibly use PBR (or filter-based-forwarding in Junos lingo I think). I guess you would need to terminate the tunnel on a loopback interface though to force the traffic through the filter in order to get routed correctly.

 

Sam.

SRX Services Gateway

Re: srx vpn redundancy

01.04.11   |  
‎01-04-2011 11:20 AM

You could perhaps modify it a bit to use "instance-type forwarding", which is filter-based forwarding (AKA policy-based routing).  All of the interfaces live in the inet.0 table, so IKE, etc., works fine, and the use the newly-created route tables to make the routing decisions based on policies.

 

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
SRX Services Gateway

Re: srx vpn redundancy

03.28.11   |  
‎03-28-2011 11:36 PM

excuse me, I am not replying for the solution here, but actually wanted to implement same setup at our customer's place. Like customer has two different ISPs say ISP1 and ISP2 at central location, will be using SRX series firewall, and their remote branches would be using SSG5with only one ISP. Will be forming VPN tuneel from remote branch to central location. But want to implement automatice vpn failover if primary link goes down.....

 

I suppose you have the same setup, can you please explain how to achieve this?

 

rgds.

sachin

 

SRX Services Gateway

Re: srx vpn redundancy

03.31.11   |  
‎03-31-2011 12:08 PM

Junos 11.1 is out, which supports IKE in routing-instances, so that should fix this issue. But its still an R1 release of course Smiley Happy