ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Hub and Spoke Route based VPN's

09.02.08   |  
‎09-02-2008 04:23 AM



Im looking to set-up a Hub & Spoke VPN, i have question, I have set the firewall up as follows


Interface Zone 


E3/1                MPLS  -> this connects to our MPLS backone Private IP

E3/2               Untrust -> Internet connection  Public IP

E0/1               Trust  Private IP


At the moment all inter office traffic  is routed from the TRUST zone through to the MPLS zone. what id like to do is set up a route based VPN terminating in the MPLS zone and use floating routes. basically if our MPLS dies i want to route traffic over the VPN.


Can the Juniper terminate a vpn on a non-public facing interface/zone?



Hope this makes sense.




ScreenOS Firewalls (NOT SRX)

Re: Hub and Spoke Route based VPN's

09.02.08   |  
‎09-02-2008 04:30 AM



So you are looking to have the VPN running over the internet connection, so that if the MPLS network goes down then traffic will use the VPN instead.


If this is the case why are you looking to terminate the VPN on the MPLS interface?


Terminate the VPN on the internet interface and then have routes that have a higher metric than the ones for the MPLS pointing to the VPN.


On the MPLS interface use Track-ip to check the MPLS network so if something goes down then it will disable the routes for the MPLS network. Be aware that all networks would be rerouted. If you want a more dynamic solution where only certain routes redirect over the VPN, say if one sites MPLS network is down then you could look at running OSPF or something, so that if a network disappears it is taken out of the firewall routing table and the route for the VPN takes preference and the traffic will be routed over that.


Let me know if this answers your question or if i have miss understood.





ScreenOS Firewalls (NOT SRX)
Accepted by topic author weathermanone
‎08-26-2015 01:27 AM

Re: Hub and Spoke Route based VPN's

09.02.08   |  
‎09-02-2008 05:37 AM

Andy hi,


Yes this answers my query, just needed confirmation on the routing aspect, in our case Track-IP would be an issue as if one site went down, but the others were still up it would mean that traffic would loop. Im looking at this as a quick fix in case we have connection issues, in which case an manual fail-over would take place. We are investigating  the option of  exporting BGP from our MPLS provider into OSPF


Many thanks


ScreenOS Firewalls (NOT SRX)

Re: Hub and Spoke Route based VPN's

09.02.08   |  
‎09-02-2008 02:25 PM

Hello W,


I have build a real lab with a PE connected with 3 CE MPLS routers. One Internet router with 4 interfaces fa0 to internet, vl11, vl12 and vl13.

In between the CE and the internet router there are 3 different firewalls.

MPLS (zone) primary path and Untrust (Internet) with tunnel.1 (Untrust).

We inject through our mpls ce routers the default gateway with a high metric.

At the same time we also get a better default gateway metric injected by our internet isp router on the untrust interface.

This will NAT internet traffic directly from the firewall to the internet isp router out.

In case this route dies everything will go into mpls.


We have build up a fully meshed vpn using ospf between the 3 firewalls with a high metric on known routes. Those will get active as soon MPLS would fail.




This is working and we will implement that soon for a lot of offices for cheaper internet bandwidth and also a cheaper backup solution.



Attached there is a great jtac document on how to configure fully meshed vpns with ospf.


We would have loved to use NSM a little bit more but it seems that the vpn creating isn't working too great with it.









ScreenOS Firewalls (NOT SRX)

Re: Hub and Spoke Route based VPN's

09.09.08   |  
‎09-09-2008 04:17 AM

Mark hi


Thanks for this i will go away and digest the documentation.