Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mk1
Collaborator

VPN preferred route (policy-based vs. route-based)

Hello all,

I have the following scenario:

DCFW <--Policy-based VPN--> OfficeFW <--Route-based VPN--> AWS

OfficeFW has one policy-based VPN with Data Center and one route-based VPN with AWS.
10.20.0.0/24 subnet is located in AWS and should be reachable via route-based VPN. There's already static routes added pointing to both AWS peers.
After the DCFW has another VPN with the same AWS VPC, OfficeFW has the same route for 10.20.0.0/24 via policy-based VPN. I would like the traffic from OfficeFW to AWS to go through route-based VPN, but after the policy-based VPN is with priority, the traffic is going through it. Due to the complicated setup in the environment, I'm not able to remove 10.20.0.0/24 from DCFW encryption domain. That's why I added 10.20.0.0/24 in vpn_route.conf to point to AWS-GW1. Here's what we have in static-route configuration:

# AWS-GW1
set static-route 10.20.0.0/24 nexthop gateway address 169.254.26.1 priority 1 on

# AWS-GW2
set static-route 10.20.0.0/24 nexthop gateway address 169.254.25.1 priority 2 on

set static-route 10.20.0.0/24 ping on

As you can imagine with the current vpn_route.conf setup, the route is going via route-based VPN with gateway 169.254.26.1

# vpn_route.conf
# destination router install_on [for comm | force_override]
Net_10.20.0.0_24 AWS-GW1 OfficeFW

The question is what I can do to have AWS-GW2 (169.254.25.1) as a backup in case the VPN tunnel with AWS-GW1 is down. I doubt I can add second line like that:
Net_10.20.0.0_24 AWS-GW2 OfficeFW

Do you know any other methods except vpn_route.conf to have route-based VPN as preferred option over policy-based VPN?

Thank you!

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Why wouldn't you use dynamic routing here?

0 Kudos
mk1
Collaborator

Maybe I don't understand your point, but how the dynamic routing will help here? Even if enable dynamic routing between AWS and OfficeFW, the route over policy-based VPN will still be the preferred one.

0 Kudos