Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
Back to discussions
Expand all | Collapse all

Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

  • 1.  Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 07-31-2020 08:10
      |   view attached

    I have a Juniper SSG-320 FW. I would like to create to IPSec tunnels to another office. One is primary and the other one is secondary. The remote destination subnet is the same because its an office. If the primary tunnels fails then I want the secondary tunnel to become primary. Is this possible with metrics and does it have to be route based VPN or policy based. See diagram

     



  • 2.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 07-31-2020 09:04

    Hello Gilles,

     

    I don't understand this part - The remote destination subnet is the same because its an office.

     

    I can see that the destination network is 192.168.1.0/24 and the source network is 10.10.10.x/24. I don't see any overlapping subnets in your topology. Could you please clarify this once?



  • 3.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 07-31-2020 09:34

    Sorry. Disregard that sentence. There is no overlap. You can just refer to the diagram I posted. Is it possible to have this setup.

     

     



  • 4.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 07-31-2020 11:07

    From your SSG if you have two external interfaces(say eth0 and eth1) connecting Cisco Router-1 and Cisco Router-2 then it is pretty straightforward. Create 2 Route-based VPN.

     

    If you have only one external interface on your SSG and you are trying to form the VPN between two peers then you need point-to-multipoint VPN. Please check the following document - https://kb.juniper.net/kb/documents/public/VPN/routebasedhubandspokevpn_rev_1_3.pdf



  • 5.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 07-31-2020 11:52

    Thanks. That document helps. My setup would be a multi point. Also, for both the metric and preference. Which is preferred? Higher or lower



  • 6.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M
    Best Answer

    Posted 08-01-2020 06:22

    Hi Gilles,

     

    When you have two routes towards the same destination in your routing table given by two different protocols. e.g. Static route and BGP route. and if you want to choose one route as Active, Route Preference can be used to achieve that. Lowest Preference is give the Highest priority.

     

    When you have two routes towards the same destination in your routing table given by the same protocol. e.g. two static routes and if you want to make one as Active, you can use Route Metric. Lowest Metric is given the Highest priority. 



  • 7.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 08-02-2020 08:17

    Thank you very much! Does this configuration also work on the Juniper SRX. If so, do you have documentation on the SRX configuration, or is the same as the SSG. 

     

    Is there also a way to import/export an IPSec tunnel configuration from one Juniper to another.



  • 8.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 08-02-2020 09:53

    This configuration example is only applicable on ScreenOS.  This feature uses policy based vpn with active/passive failover.

     

    The feature was never migrated to the SRX/Junos platform.

     



  • 9.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 08-02-2020 12:57
    But can the SRX do some kind of IPsec tunnel failover.

    Sent from Samsung Note


  • 10.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 08-02-2020 20:29

    Hello Gilles,

     

    Yes, we can configure primary/backup VPN in SRX and route failover is supported with IP monitoring feature.

     

    [J/SRX] Example – Configuring a primary and backup VPN with route failover using ip-monitoring

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227&cat=SRX_650&actp=LIST



  • 11.  RE: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

    Posted 07-31-2020 14:11

    For a straight up primary and backup vpn as in your diagram you can use the ScreenOS group feature.  I have a configuration outline posted on my blog.

     

    http://puluka.com/home/networking/screenos/screenos-redundant-internet-connections-on-a-policy-vpn/