Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN preferred route (policy-based vs. route-based)

Hello all,

I have the following scenario:

DCFW <--Policy-based VPN--> OfficeFW <--Route-based VPN--> AWS

OfficeFW has one policy-based VPN with Data Center and one route-based VPN with AWS. subnet is located in AWS and should be reachable via route-based VPN. There's already static routes added pointing to both AWS peers.
After the DCFW has another VPN with the same AWS VPC, OfficeFW has the same route for via policy-based VPN. I would like the traffic from OfficeFW to AWS to go through route-based VPN, but after the policy-based VPN is with priority, the traffic is going through it. Due to the complicated setup in the environment, I'm not able to remove from DCFW encryption domain. That's why I added in vpn_route.conf to point to AWS-GW1. Here's what we have in static-route configuration:

set static-route nexthop gateway address priority 1 on

set static-route nexthop gateway address priority 2 on

set static-route ping on

As you can imagine with the current vpn_route.conf setup, the route is going via route-based VPN with gateway

# vpn_route.conf
# destination router install_on [for comm | force_override]
Net_10.20.0.0_24 AWS-GW1 OfficeFW

The question is what I can do to have AWS-GW2 ( as a backup in case the VPN tunnel with AWS-GW1 is down. I doubt I can add second line like that:
Net_10.20.0.0_24 AWS-GW2 OfficeFW

Do you know any other methods except vpn_route.conf to have route-based VPN as preferred option over policy-based VPN?

Thank you!

0 Kudos
2 Replies

Why wouldn't you use dynamic routing here?

0 Kudos

Maybe I don't understand your point, but how the dynamic routing will help here? Even if enable dynamic routing between AWS and OfficeFW, the route over policy-based VPN will still be the preferred one.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events