Expand all | Collapse all

Multiple VPN links

Jump to Best Answer
  • 1.  Multiple VPN links

    Posted 07-06-2019 03:20

    I have a site to site VPN running between some SRX devices. Looking at adding another site to site vpn to a new device as a failover for this link.

    If the primary site to site vpn fails, I want it to failover to the other site automatically. When the primary link returns, I want it to switch back automatically also.

    I’m thinking if I get these VPN links in, use OSPF and set one link with a higher metric which is the backup link?

    What do you think?


  • 2.  RE: Multiple VPN links

    Posted 07-06-2019 03:53



    If you have 1 Site(A) to site(B) with SRX on each side and wish to add another link from one(SITE-A) SRX to a new device but to the same site(SITE-B).

    Yes, that should work.

    Only point is, in phase2 use proxy-id as compared to Traffic Selector as the latter would add an automatic route for the remote subnet which will be same in this case.

    For the failback, once correct tunnel st interface comes UP OSPF route will switch the traffic back.




  • 3.  RE: Multiple VPN links

    Posted 07-06-2019 03:54

    Yes, using OSPF and link cost on dual vpn for failover is a good choice.


    • Setup both vpn as route based vpn
    • Assigned a routed link subnet /31 to each tunnel
    • put the matching pair addresses on the st0.x interfaces for the tunnels
    • setup the st0.x interfaces as point to point links in the same ospf area
    • set a higher cost on the backup link ospf vpn
    • Create your security policies and zone assignments then as normal


  • 4.  RE: Multiple VPN links

    Posted 07-06-2019 04:28
    Thanks that’s great

    What’s your thoughts on running IPS on these devices? I notice SRX offer the different licenses ... we just have base at the moment.

    Seeing as the only thing these SRX’s will do is to pass IPSEC traffic - perhaps a waste to pay extra for IPS? In reality I’m not sure it’s adding any benefits?


  • 5.  RE: Multiple VPN links
    Best Answer

    Posted 07-06-2019 04:51

    You are correct that the IPS cannot help with encrypted traffic for inspection.


    IPS is most valuable for sites that allow direct access to the internet from clients and inspect this traffic.  Or have resources published to the internet at the site that can be inspected.


  • 6.  RE: Multiple VPN links

    Posted 07-06-2019 05:07
    Thanks for your time today

  • 7.  RE: Multiple VPN links

    Posted 07-06-2019 05:17
    Just to clarify,

    Would it be best to use 2 different public IP addresses and separate ST interfaces to the 2 different SRX’s?

    Or is there a way to peer the same ST interface (including same public address) to both SRX’s?

  • 8.  RE: Multiple VPN links

    Posted 07-06-2019 05:59

    In order to create two tunnels at least one site has to have two different ip addresses to create the vpn.


    If there is only one ip address on both sides there is no way to create two phase 1 tunnels.


    You can have both tunnels on the same SRX and if you want hardware redundancy the general way to do that is to create a cluster with two SRX that then statefully failover in the event of any hardware based issue.  This will be less disruptive of active sessions than two independent SRX.


  • 9.  RE: Multiple VPN links

    Posted 07-06-2019 06:03
    Perfect - cheers Steve