SRX 100 with dual ISP primary default route learned via EBGP to ISP 1, secondary default route learned via static with higher preference and higher metric.
The ebgp default route failover to static default route works flawlessly but the VPN configured on the ISP 2 comes on only at times or after a long time waiting for the interesting traffic to come online. The failback also works very easy and once the primary injects the route we are back in business on the primary internet and primary VPN.
My question is can someone confirm the SRX dual ISP and dual VPN is configured properly before I go and escalate to the other side of the VPN which happens to run an netscreen single ISP and single VPN?
Thanks a bunch for all the looked at this config.
SRX VPN dual ISP setup
st0 {
unit 0 {
family inet;
}
unit 1 {
family inet;
}
}
root# run show configuration security ike
proposal 3des-sha {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy to-netscreen {
mode main;
description to-netscreen;
proposals 3des-sha;
pre-shared-key ascii-text "$9$wagZjk.5T39fT1hyKx7"; ## SECRET-DATA
}
gateway netscreen {
ike-policy to-netscreen;
address 3.3.3.1;
dead-peer-detection {
interval 10;
threshold 3;
}
external-interface fe-0/0/0;
}
gateway netscreen-isp2 {
ike-policy to-netscreen;
address 3.3.3.1;
dead-peer-detection;
external-interface fe-0/0/1.0;
}
root# run show configuration security ipsec
proposal p2 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy netscree-policy {
perfect-forward-secrecy {
keys group2;
}
proposals p2;
}
vpn to-netscreen {
bind-interface st0.0;
vpn-monitor {
optimized;
source-interface fe-0/0/2.0;
destination-ip 2.2.2.1;
}
ike {
gateway netscreen;
proxy-identity {
local 172.16.0.0/24;
remote 2.2.2.0/24;
service any;
}
ipsec-policy netscree-policy;
}
establish-tunnels on-traffic;
}
vpn to-netscreen-2 {
bind-interface st0.1;
vpn-monitor {
optimized;
source-interface fe-0/0/2.0;
destination-ip 2.2.2.1;
}
ike {
gateway netscreen-isp2;
proxy-identity {
local 172.16.0.0/24;
remote 2.2.2.0/24;
}
ipsec-policy netscree-policy;
}
establish-tunnels on-traffic;
}
route 2.2.2.0/24 {
next-hop st0.0;
qualified-next-hop st0.1 {
metric 5;
}
}
#dual.isp#vpn