Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

Hi guys, 

My scenario is as follows: on the main site we've got a Checkpoint cluster running R80.10 and a single ISP, that runs an IPSEC VPN tunnel to our secondary site, where we have a Juniper SRX firewall.

Recently a second ISP line has been added to the secondary site to improve the availability and the target is to setup an automatic mechanism on both sides that in case the tunnel through the ISP1 goes down, the IPSEC tunnel will automatically raised on ISP2. 

What's the best way to do this? a single VPN community with both satellite gateways (ISP1 and ISP2)? What else, should I enable DPD on both gateways (Checkpoint and Juniper)?

 

Thanks in advance!

0 Kudos
5 Replies
Highlighted

Re: VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

No one?

0 Kudos
Highlighted

Re: VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

Hi arcotangente,

in the past I used routed based VPNs with dynamic routing as failover/health check mechanism.

Have done that with Juniper SSGs a while ago (on both sides so)

So both tunnels are up and based on e.g. ospf metric/cost you decide which is the preferred tunnel

May be that is an option ?

Matthias

0 Kudos
Highlighted

Re: VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

Hi Matthias, 

That wouldn't cause traffic dropped due asymmetric routing? the CP may send some traffic through tunnel A and the Juniper return the reply through tunnel B?

I was thinking an scenario where there is a single star community, the Check point as Center GW, and the 2 Junipers (set up as interoperable devices with each public IP) as satellite gateways. And then enable DPD, don't know which mode.

 

Does it makes sense? leaving anything behind?

Thanks

0 Kudos
Highlighted

Re: VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

Hi arcotangente,

i don´t think asymmetric routing is an issue.  For example OSPF Equal Cost Multipath is a situation were you do have asymmetric routing (see sk100502 for further details).

But if you configure ospf correctly this should not happen. When you are enable OSPF on a tunnel interface you can define a cost for this interface:

ospf.png

You would have two tunnel interfaces on both sides. Your prefered connection will get a lower cost on both side.

Your firewall will learn the routes through both interfaces. As long as the routes are learned through the interface with the lower cost, this route will be used.

That is just an idea, as I said, did this with Juniper SSGs  but not so far with Checkpoint and Juniper SRX

With SSGs you could even use static routing as a tunnel interface was only "up" if the vpn connection was up.

 

Regarding single star community:

You would have fully overlapping encryption domain  (both interoperable devices would have the same encryption domain) which is supported.

What I don´t know is how you can configure which tunnel to use as both tunnels are up normally ?

Matthias

 

 

0 Kudos
Highlighted

Re: VPN Tunnel failover with 2 ISP's and Juniper gateway on remote side

Thanks Matthias, 

Let's see if someone else can shed some light on the DPD thing. 

At least when you configure a tunnel to Amazon AWS, it uses 2 satellite gateways as well with same encryption domain and recommends to enable DPD. 

BR

 

0 Kudos