SRX

Expand all | Collapse all

Dynamic VPN through two ISP

Jump to Best Answer
  • 1.  Dynamic VPN through two ISP

    Posted 09-08-2014 00:05

    Good day to everyone.

    Try to implement the following: there are two ISP, Juniper SRX220h and license for several dynamic VPN users.

    I have set up in the case of switching ISP failover:

    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 212.#.#.#;
                qualified-next-hop 195.#.#.# {
                    preference 7;
                }
                preference 5;
            }
        }
    }

    But how to organize dynamic? When creating ike gateway, may specify only one external-interface.

    It is assumed that in the case of failover ISP-1 Internet is organized through ISP-2, and the Junos Pulse can be connected via both interfaces.

    I attach my configuration below.

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 212.#.#.#/25;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 195.#.#.#/30;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 172.25.0.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 212.#.#.##;
                qualified-next-hop 195.#.#.## {
                    preference 7;
                }
                preference 5;
            }
        }
    }
    protocols {
        stp;
    }
    policy-options {
        policy-statement LOAD-BALANCE {
            then {
                load-balance per-packet;
            }
        }
    }
    security {
        ike {
            policy ike-dyn-vpn-policy {
                mode aggressive;
                proposal-set standard;
                pre-shared-key ascii-text "###";
            }
            gateway dyn-vpn-local-gw {
                ike-policy ike-dyn-vpn-policy;
                dynamic {
                    hostname dynvpn;
                    connections-limit 25;
                    ike-user-type group-ike-id;
                }
                external-interface ge-0/0/0.0;
                xauth access-profile dyn-vpn-access-profile;
            }
        }
        ipsec {
            policy ipsec-dyn-vpn-policy {
                proposal-set standard;
            }
            vpn dyn-vpn {
                ike {
                    gateway dyn-vpn-local-gw;
                    ipsec-policy ipsec-dyn-vpn-policy;
                }
                establish-tunnels immediately;
            }
        }
        alg {
            sip disable;
        }
        dynamic-vpn {
            access-profile dyn-vpn-access-profile;
            clients {
                all {
                    remote-protected-resources {
                        172.25.0.0/24;
                    }
                    ipsec-vpn dyn-vpn;
                    user {
                        ######;
                        ######;
                        ######;
                        ######;
                        ######;
                    }
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            proxy-arp {
                interface vlan.0 {
                    address {
                        172.25.0.195/32 to 172.25.0.225/32;
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy untrust-to-trust-Server1 {
                    match {
                        source-address any;
                        destination-address Server1;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy untrust-to-trust-Server2 {
                    match {
                        source-address any;
                        destination-address Server2;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy untrust-to-trust-Server3 {
                    match {
                        source-address any;
                        destination-address Server3;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy dyn-vpn-policy {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            tunnel {
                                ipsec-vpn dyn-vpn;
                            }
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address Server1 172.25.0.#/32;
                    address Server2 172.25.0.#/32;
                    address Server3 172.25.0.#/32;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                dhcp;
                                tftp;
                                ike;
                                https;
                                ping;
                                ssh;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                                dhcp;
                                tftp;
                                ike;
                                https;
                                ping;
                                ssh;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    access {
        profile dyn-vpn-access-profile {
            client ###### {
                firewall-user {
                    password "##########";
                }
            }
            client ###### {
                firewall-user {
                    password "##########";
                }
            }
            client ###### {
                firewall-user {
                    password "##########";
                }
            }
            client ###### {
                firewall-user {
                    password "##########";
                }
            }
            client ###### {
                firewall-user {
                    password "##########";
                }
            }
            address-assignment {
                pool dyn-vpn-address-pool;
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool {
                family inet {
                    network 172.25.0.192/27;
                    range dvpn-range {
                        low 172.25.0.195;
                        high 172.25.0.220;
                    }
                    xauth-attributes {
                        primary-dns 172.25.0.3/32;
                        secondary-dns 172.25.0.1/32;
                        primary-wins 172.25.0.3/32;
                    }
                }
            }
        }
        firewall-authentication {
            web-authentication {
                default-profile dyn-vpn-access-profile;
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     Please help!



  • 2.  RE: Dynamic VPN through two ISP
    Best Answer

    Posted 09-09-2014 03:23

    Hi notimer,

     

    I would suggest you to create another ike gateway with external interface as second ISP and then configure ipsec and other related vpn configuration.

     


    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 3.  RE: Dynamic VPN through two ISP

    Posted 09-10-2014 15:17

    Hi,rparthi!

    I would suggest you to create another ike gateway with external interface as second ISP and then configure ipsec and other related vpn configuration.

     I'll try this configuration and reply later.
    There is a problem that in the current ISP-1 second ISP-2 IP-address is not pinged..



  • 4.  RE: Dynamic VPN through two ISP

    Posted 09-14-2014 21:11

    All earned. Second ISP gateway is active (ping) when the route is built through it.
    Pulse connects to different locations successfully, but did not immediately notice the gap of communication.



  • 5.  RE: Dynamic VPN through two ISP

    Posted 09-18-2014 01:04

    Hi Notimer,

     

    May i know the current status? are you able to connect using both ISP using dynamic-VPN?

     


    Regards
    rparthi
     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too



  • 6.  RE: Dynamic VPN through two ISP

    Posted 09-25-2014 20:32

    Yes, I am.

    thanks for the advice 🙂



  • 7.  RE: Dynamic VPN through two ISP

    Posted 12-28-2014 05:19

    hi, i also create two gw , but only one can connnect ,eventhough another can connect , it can't ping through trust interface

     

    configure

     

     

    set access profile dyn-vpn-access-profile client vpnadmin firewall-user password adminP@ssw0rd
    set access profile dyn-vpn-access-profile client vpnadmin2 firewall-user password adminP@ssw0rd
    set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool
    set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24
    set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile

    set security ike policy ike-dyn-vpn-policy mode aggressive
    set security ike policy ike-dyn-vpn-policy proposal-set standard
    set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text hyqhvpn
    set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy
    set security ike gateway dyn-vpn-local-gw dynamic hostname hyqhdynvpn-CTC
    set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10
    set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id
    set security ike gateway dyn-vpn-local-gw external-interface reth2.0
    set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile
    set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard
    set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw
    set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy
    set security policies from-zone CTC to-zone trust policy dyn-vpn-policy match source-address any
    set security policies from-zone CTC to-zone trust policy dyn-vpn-policy match destination-address any
    set security policies from-zone CTC to-zone trust policy dyn-vpn-policy match application any
    set security policies from-zone CTC to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn
    set security dynamic-vpn access-profile dyn-vpn-access-profile
    set security dynamic-vpn clients all remote-protected-resources 172.18.0.0/16
    set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients all ipsec-vpn dyn-vpn
    set security dynamic-vpn clients all user vpnadmin
    set security dynamic-vpn clients all user vpnadmin2

    set security ike policy ike-dyn-vpn-policy2 mode aggressive
    set security ike policy ike-dyn-vpn-policy2 proposal-set standard
    set security ike policy ike-dyn-vpn-policy2 pre-shared-key ascii-text hyqhvpn
    set security ike gateway dyn-vpn-local-gw2 ike-policy ike-dyn-vpn-policy2
    set security ike gateway dyn-vpn-local-gw2 dynamic hostname hyqhdynvpn-CNC
    set security ike gateway dyn-vpn-local-gw2 dynamic connections-limit 10
    set security ike gateway dyn-vpn-local-gw2 dynamic ike-user-type group-ike-id
    set security ike gateway dyn-vpn-local-gw2 external-interface reth3.0
    set security ike gateway dyn-vpn-local-gw2 xauth access-profile dyn-vpn-access-profile
    set security ipsec policy ipsec-dyn-vpn-policy2 proposal-set standard
    set security ipsec vpn dyn-vpn2 ike gateway dyn-vpn-local-gw2
    set security ipsec vpn dyn-vpn2 ike ipsec-policy ipsec-dyn-vpn-policy2
    set security policies from-zone CNC to-zone trust policy dyn-vpn-policy2 match source-address any
    set security policies from-zone CNC to-zone trust policy dyn-vpn-policy2 match destination-address any
    set security policies from-zone CNC to-zone trust policy dyn-vpn-policy2 match application any
    set security policies from-zone CNC to-zone trust policy dyn-vpn-policy2 then permit tunnel ipsec-vpn dyn-vpn2
    set security dynamic-vpn clients all2 remote-protected-resources 172.18.0.0/16
    set security dynamic-vpn clients all2 remote-exceptions 0.0.0.0/0
    set security dynamic-vpn clients all2 ipsec-vpn dyn-vpn2
    set security dynamic-vpn clients all2 user vpnadmin
    set security dynamic-vpn clients all2 user vpnadmin2



  • 8.  RE: Dynamic VPN through two ISP

    Posted 06-24-2018 07:58

    Hi notimer

     

    I have a very similar issue, would you be willing to share your working config for this two ISP setup?

    I have a dynamic VPN requirement for the users to be able to connect via two different interfaces and the connecting to loopback isn't supported in the branch SRX devices I'm using.

     

    Thanks