Good day to everyone.
Try to implement the following: there are two ISP, Juniper SRX220h and license for several dynamic VPN users.
I have set up in the case of switching ISP failover:
routing-options {
static {
route 0.0.0.0/0 {
next-hop 212.#.#.#;
qualified-next-hop 195.#.#.# {
preference 7;
}
preference 5;
}
}
}
But how to organize dynamic? When creating ike gateway, may specify only one external-interface.
It is assumed that in the case of failover ISP-1 Internet is organized through ISP-2, and the Junos Pulse can be connected via both interfaces.
I attach my configuration below.
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 212.#.#.#/25;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 195.#.#.#/30;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 172.25.0.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 212.#.#.##;
qualified-next-hop 195.#.#.## {
preference 7;
}
preference 5;
}
}
}
protocols {
stp;
}
policy-options {
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
}
}
}
security {
ike {
policy ike-dyn-vpn-policy {
mode aggressive;
proposal-set standard;
pre-shared-key ascii-text "###";
}
gateway dyn-vpn-local-gw {
ike-policy ike-dyn-vpn-policy;
dynamic {
hostname dynvpn;
connections-limit 25;
ike-user-type group-ike-id;
}
external-interface ge-0/0/0.0;
xauth access-profile dyn-vpn-access-profile;
}
}
ipsec {
policy ipsec-dyn-vpn-policy {
proposal-set standard;
}
vpn dyn-vpn {
ike {
gateway dyn-vpn-local-gw;
ipsec-policy ipsec-dyn-vpn-policy;
}
establish-tunnels immediately;
}
}
alg {
sip disable;
}
dynamic-vpn {
access-profile dyn-vpn-access-profile;
clients {
all {
remote-protected-resources {
172.25.0.0/24;
}
ipsec-vpn dyn-vpn;
user {
######;
######;
######;
######;
######;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
proxy-arp {
interface vlan.0 {
address {
172.25.0.195/32 to 172.25.0.225/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust-Server1 {
match {
source-address any;
destination-address Server1;
application any;
}
then {
permit;
}
}
policy untrust-to-trust-Server2 {
match {
source-address any;
destination-address Server2;
application any;
}
then {
permit;
}
}
policy untrust-to-trust-Server3 {
match {
source-address any;
destination-address Server3;
application any;
}
then {
permit;
}
}
policy dyn-vpn-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
tunnel {
ipsec-vpn dyn-vpn;
}
}
}
}
}
}
zones {
security-zone trust {
address-book {
address Server1 172.25.0.#/32;
address Server2 172.25.0.#/32;
address Server3 172.25.0.#/32;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
dhcp;
tftp;
ike;
https;
ping;
ssh;
}
protocols {
all;
}
}
}
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
dhcp;
tftp;
ike;
https;
ping;
ssh;
}
protocols {
all;
}
}
}
}
}
}
}
access {
profile dyn-vpn-access-profile {
client ###### {
firewall-user {
password "##########";
}
}
client ###### {
firewall-user {
password "##########";
}
}
client ###### {
firewall-user {
password "##########";
}
}
client ###### {
firewall-user {
password "##########";
}
}
client ###### {
firewall-user {
password "##########";
}
}
address-assignment {
pool dyn-vpn-address-pool;
}
}
address-assignment {
pool dyn-vpn-address-pool {
family inet {
network 172.25.0.192/27;
range dvpn-range {
low 172.25.0.195;
high 172.25.0.220;
}
xauth-attributes {
primary-dns 172.25.0.3/32;
secondary-dns 172.25.0.1/32;
primary-wins 172.25.0.3/32;
}
}
}
}
firewall-authentication {
web-authentication {
default-profile dyn-vpn-access-profile;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Please help!