SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

SRX VPN Tunnels redundancy with dual ISP

Erdem

Erdem01-12-2010 04:58

  • 1.  SRX VPN Tunnels redundancy with dual ISP

    Posted 01-11-2010 15:24

    Hi, I'm trying to see if the SRX can be configured to respond to a VPN tunnel to a peer that has two different ISP links.  There is no BGP at the peer and one link is a backup.  Does the SRX have the ability to have a second peer address if the first becomes unreachable?

     

    Thanks,

     

    Mike



  • 2.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 01-12-2010 04:58

    Route or policy based?


    #E


  • 3.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 01-12-2010 08:54

    Probably Route, but if it can be done in Policy that's ok too.

     

    I'm just looking for any solution that will allow me to configure a VPN tunnel to another site that has two ISP's.  The far site would primarily use ISP1, but during an outage they may begin using ISP2 and I want the local SRX to be able to switch over seemlessly.

     



  • 4.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 01-12-2010 09:38

    When you configure the ike gateway, it let you configure more than 1 address, i haven't test it already, but i think that it should work for a redundancy deployment. Next week i will configure a similar scenario and i will test it. 

     

    What i say is something like:

     

    set security ike gateway <gateway-name> address <remote-Public-IP1> (IP ADDRESS of the ISP 1, as a main gateway)

    set security ike gateway <gateway-name> address <remote-Public-IP2> (IP ADDRESS of the ISP 2, as a secondary gateway)

     

    Then the configuration should look like this:

     

    Security  {

                      ike {

                                gateway   <gateway-name> {

                                      address  <remote-Public-IP1>   <remote-Public-IP2>;

     

                                              }

                             }

    }

     

     

    I omitted all the other configuration that involve a vpn configuration. 



  • 5.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 01-12-2010 23:54

    All you have to do is setup the vpn as route base st0.0 and st0.1 for each isp link.

    Then setup the route-options with next-hop st0.0 and qualified-next hop as st0.1 with preferences as 20.

     

    I have setup a srx240 with two ISP which can failover to each other if their links get drop.

     

    Send your config and I can take a look at it.



  • 6.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 01-14-2010 08:26

    Can you please share an example of how you configured it ??



  • 7.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 01-14-2010 09:57

    routing-options {
        static {
            route 192.168.1.0/24 {
                next-hop st0.0
                qualified-next-hop st0.1 {
                    preference 2;

                }
       }
        forwarding-table {
            export load_balance;
        }
    policy-options {
        policy-statement load_balance {
            then {
                load-balance per-packet;
            }
        }
    }

     

    Route based vpn

    Just make sure your vpn is connected.



  • 8.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 03-08-2010 12:11

    What if i have two ISP in both sites, not just in one?? will it work anyway?? what do i do with the reverse route?



  • 9.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 10-20-2010 13:09

    Is it possible to do something like this and do some sort of load balancing across the VPN tunnels?

     

     

               / ISP1 - st0.0 -> -> -> st0.0 ISP \

    Office                                                          Datacenter

              \ ISP2 - st0.0 -> -> -> st0.1 ISP /

     

    My datacenter handles the BGP routing, and just gives me 2 ethernet handoffs to plug into my firewalls with the same network information for both.

     

    The office is 2 completely different ISPs, so I'm assuming I will have to setup seperate routing instances



  • 10.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 10-21-2010 10:13

    I have this setup working perfectly fine just make sure you have VPN monitor enabled on both redundant links or else it is not going to fail over.



  • 11.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 10-24-2010 12:53

    could you post the relevant portions of your config?  Perhaps the routing-options, routing-instances, and the ike/ipsec info?



  • 12.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 08-07-2013 07:46

    Hi all,

     

    I think that you should use the BFD feature to set up the redundancy VPN. It is better to use route based VPN.

     

    Regards.



  • 13.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 08-07-2013 07:55

    If you want to use 2 public IPs at the datacenter, use 1 VPN and dead peer detection on the IKE.

     

    The other solutions will work, but not as clean in my oppinion.

     

    If you had 2 datacenters, the route metrics and 2 vpns isn't a bad way to do it.  (we do that for 6000 locations today)



  • 14.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 08-10-2013 05:22

    We use OSPF with short timers. Works for our environment, although BFD would be better. We also handle our dual WAN links in a single routing instance to KISS.

     

    You could have two IKE gateways, but it won't fall-back to your preferred link (if required).

     

    Qualified-second-hop doesn't take into consideration transit problems, so it wouldn't failover unless you physically unplug the interface.



  • 15.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 08-10-2013 12:19

    "layard
    Contributor
    layard
    Posts: 39
    Registered: ‎12-06-2009
    0
    Re: SRX VPN Tunnels redundancy with dual ISP
    Options
    ‎01-14-2010 08:26 AM

    Can you please share an example of how you configured it ??
    LT"

     

    You can help stop this thread possibly geting very little done by simply posting your configuration. You just need to use the replace pattern to change your IP address etc. One of the first things you will note that the Forum admin request is the configuration. It is obvious from the other responders that what you are wanting to do is very possible. I think at this point that would be most helpful to helping you resolve your problem. We all will learn better that way, because it will also help us and others see what to not do, or a configuration that does not work. Not only that but a search on the forum for exactly what you are asking about would return results with solutions that will help another person.



  • 16.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 06-18-2014 14:19

     

    So I thought I might revive this thread since this is what I need as well....  below is a sample config for the srx that has the dual ISP.  Is there something that I need to do to the vpn's on this end first?  Once we figure that one out I'll post the other end

     

    version 11.4R7.5;
    system {
        host-name TEST
        time-zone America/New_York;
        root-authentication {
            encrypted-password "PUTYOUROWNIN";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh {
                protocol-version v2;
            }
            telnet;
            web-management {
                https {
                    system-generated-certificate;
                }
            }
            dhcp {
                pool 10.1.130.0/24 {
                    address-range low 10.1.130.30 high 10.1.130.90;
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.130.1;
                    }
                }
            }
        }
        syslog {
            archive size 100k files 3;
            host 10.2.2.55 {
                any any;
                change-log none;
                interactive-commands none;
            }
            file messages {
                any any;
                authorization any;
            }
            file interactive-commands {
                interactive-commands error;
            }
            file policy_session {
                user info;
                match RT_FLOW;
                archive size 1000k world-readable;
                structured-data;
            }
            file default-log-messages {
                any any;
                structured-data;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        interface-range interface-trust {
            member fe-0/0/2;
            member fe-0/0/3;
            member fe-0/0/4;
            member fe-0/0/5;
            member fe-0/0/6;
            member fe-0/0/7;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 111.111.111.2/24
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 222.222.222.2/24;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    filter {
                        input deny-ssh-https;
                    }
                    address 127.0.0.1/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet;
            }
            unit 1 {
                family inet;
            }
            unit 2 {
                family inet;
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 10.1.130.1/24;
                }
            }
        }
    }
    event-options {
        policy test-failed {
            events ping_test_failed;
            attributes-match {
                ping_test_failed.test-owner matches icmp-ping-probe;
                ping_test_failed.test-name matches ping-probe-test;
            }
            then {
                event-script watch-default-route.slax {
                    arguments {
                        next-hop 111.111.111.1;
                    }
                }
            }
        }
        policy test-completed {
            events ping_test_completed;
            attributes-match {
                ping_test_completed.test-owner matches icmp-ping-probe;
                ping_test_completed.test-name matches ping-probe-test;
            }
            then {
                event-script watch-default-route.slax {
                    arguments {
                        next-hop 111.111.111.1;
                    }
                }
            }
        }
        event-script {
            file watch-default-route.slax;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 {
                qualified-next-hop 111.111.111.1;
                qualified-next-hop 222.222.222.1 {
                    preference 200;
                }
            }
            route 1.2.2.0/24 next-hop st0.0;
            route 1.2.3.0/24 next-hop st0.1;
            route 3.3.3.0/24 next-hop st0.2;
        }
    }
    protocols {
        stp;
    }
    security {
        ike {
            policy number1 {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "WHATEVER";
            }
            policy number2 {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "WHATEVER";
            }
            policy number3 {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "WHATEVER";
            }
            gateway GW-to-number1 {
                ike-policy number1;
                address 10.10.10.10;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
            gateway GW-to-number2C {
                ike-policy number2;
                address 11.11.11.11;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
            gateway GW-to-number3 {
                ike-policy number3;
                address 12.12.12.12;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
        }
        ipsec {
            policy number1 {
                proposal-set standard;
            }
            policy number2 {
                proposal-set standard;
            }
            policy number3 {
                proposal-set standard;
            }
            vpn number1 {
                bind-interface st0.0;
                ike {
                    gateway GW-to-number1;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 1.2.2.0/24;
                    }
                    ipsec-policy number1;
                }
                establish-tunnels immediately;
            }
            vpn number2 {
                bind-interface st0.1;
                ike {
                    gateway GW-to-number2;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 1.2.3.0/24;
                    }
                    ipsec-policy number2;
                }
                establish-tunnels immediately;
            }
            vpn number3 {
                bind-interface st0.2;
                ike {
                    gateway GW-to-number3;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 3.3.3.0/24;
                    }
                    ipsec-policy number3;
                }
                establish-tunnels immediately;
            }
        }
        alg {
            dns disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            real disable;
            rsh disable;
            rtsp disable;
            sccp disable;
            sip disable;
            sql disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        flow {
            tcp-mss {
                all-tcp {
                    mss 1300;
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
             }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        deny;
                    }
                }
            }
            from-zone trust to-zone VPN {
                policy number1 {
                    match {
                        source-address TEST;
                        destination-address number1;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number2 {
                    match {
                        source-address TEST;
                        destination-address number2;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number3 {
                    match {
                        source-address TEST;
                        destination-address number3;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone VPN to-zone trust {
                policy number1 {
                    match {
                        source-address number1;
                        destination-address TEST;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number2 {
                    match {
                        source-address number2;
                        destination-address TEST;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number3 {
                    match {
                        source-address number3;
                        destination-address TEST;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address TEST 10.1.130.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                }
            }
            security-zone VPN {
                address-book {
                    address number1 1.2.2.0/24;
                    address number2 1.2.3.0/24;
                    address number3 3.3.3.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    st0.0;
                    st0.1;
                    st0.2;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                                all;
                            }
                        }
                    }
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    services {
        rpm {
            probe icmp-ping-probe {
                test ping-probe-test {
                    probe-type icmp-ping;
                    target address 8.8.8.8;
                    probe-count 3;
                    probe-interval 30;
                    test-interval 100;
                    thresholds {
                        successive-loss 3;
                        total-loss 3;
                    }
                    destination-interface ge-0/0/0.0;
                    next-hop 111.111.111.1;
                }
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     

     Here's the slax for your info as well...  this portion is working.... just not the vlan obviously......

     

    /*
     * This event script activates/deactivates the qualified next-hop of the default
     * route based on the success or failure of a RPM test. When the test is successful 
     * the route will be activated.  When the test fails the route will be deactivated.
     *
     * The qualified next-hop must be passed as the next-hop argument.
     *
     */
    
    version 1.0;
    
    ns junos = "http://xml.juniper.net/junos/*/junos";
    ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
    ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
    
    import "../import/junos.xsl";
    
    param $next-hop = "10.0.0.1";
    
    match / {
        <event-script-results> {    
            /* Learn the event type, either a PING_TEST_FAILED or PING_TEST_COMPLETED */
            var $event-type = event-script-input/trigger-event/id;
    
            /* Retrieve the current configuration for the static route */
            var $configuration-rpc = {
                <get-configuration database="committed"> {
                    <configuration> {
                        <routing-options>;
                    }
                }
            }
            var $current = jcs:invoke( $configuration-rpc );
            
            /* Grab the routing-options static node to make further location paths shorter */
            var $static = $current/routing-options/static;
    
            /* Is the route currently inactive? */
            var $inactive = $static/route[name == "0.0.0.0/0"]/qualified-next-hop[name == $next-hop]/@inactive;
            
            /* 
             * Compare the event type vs the current value of $inactive.  If they
             * do not match then a configuration change must be performed.
             */
             
            /* RPM test failed but the route is currently active */
            if( $event-type == "PING_TEST_FAILED" && jcs:empty( $inactive ) ) {
                
                /* Needed configuration change */
                var $configuration = {
                    <configuration> {
                        <routing-options> {
                            <static> {
                                <route> {
                                    <name> "0.0.0.0/0";
                                    <qualified-next-hop inactive="inactive"> {
                                        <name> $next-hop;
                                    }
                                }
                            }
                        }
                    }
                }
                
                /* Open connection, load and commit the change, and close connection  */
                var $connection = jcs:open();
                var $results := { 
                    call jcs:load-configuration( $connection, $configuration );
                    copy-of jcs:close( $connection );
                }
                
                /* If any errors occurred during the commit process then report them to the syslog */
                if( $results//xnm:error ) {
                    for-each( $results//xnm:error ) {
                        expr jcs:syslog( "external.error", "Error deactivating ", $next-hop, " next-hop: ", message );
                    }   
                }
                /* Otherwise, report success */
                else {
                    expr jcs:syslog( "external.notice", "0/0 next-hop ", $next-hop, " disabled." );
                }
            }
            /* RPM test succeeded but the route is currently inactive */
            else if( $event-type == "PING_TEST_COMPLETED" && $inactive ) {
                
                /* Needed configuration change */
                var $configuration = {
                    <configuration> {
                        <routing-options> {
                            <static> {
                                <route> {
                                    <name> "0.0.0.0/0";
                                    <qualified-next-hop active="active"> {
                                        <name> $next-hop;
                                    }
                                }
                            }
                        }
                    }
                }
                
                /* Open connection, load and commit the change, and close connection  */
                var $connection = jcs:open();
                var $results := { 
                    call jcs:load-configuration( $connection, $configuration );
                    copy-of jcs:close( $connection );
                }
                
                /* If any errors occurred during the commit process then report them to the syslog */
                if( $results//xnm:error ) {
                    for-each( $results//xnm:error ) {
                        expr jcs:syslog( "external.error", "Error activating ", $next-hop, " next-hop: ", message );
                    }   
                }
                /* Otherwise, report success */
                else {
                    expr jcs:syslog( "external.notice", "0/0 next-hop ", $next-hop, " activated." );
                }
            }
        }
    }

     



  • 17.  RE: SRX VPN Tunnels redundancy with dual ISP

     
    Posted 06-19-2014 04:10

    I'm not a big fan of using SLAX to make configuration changes to handle fail-over, so my answer may be a little biased 😉

     

    You're running 11.4 so you can use ip-monitoring for a much cleaner fail-over:

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB25052&actp=RSS

     

    Basically this allows you to change a route dynamically (not in your config) based on the state of your RPM Probe.

     

    On the VPN side, there is a number of things you can do.  Looking at your configuration, it looks like you've got static IPs at both ends.  So you have a couple of options:

     

    1. Create two tunnels from each of your far-side nodes - one to each ISP address on ge-0/0/0 and ge-0/0/1.  Then use either a routing protocol or static routes with configured BFD to select a primary tunnel, and fail-over to the backup tunnel.  This will require you to configure 6 tunnels on the head-end, so just put all your primarys eith "external-interface ge-0/0/0" and all the secondarys with "external-interface ge-0/0/1". 

     

    There is probably a neater way to do this with just two multi-point tunnel interfaces and NHTB, but try the above method first.

     

    2. You could create a single tunnel from each of the far-end nodes, but specify a secondary address for your IKE gateway to connect to.  It's been a while since I used this method, but from memory, then tunnel will fail-over to the secondary address when DPD fails.  So if your ISP1 on your head-end goes down, DPD should die around 30-40 seconds later, and then the tunnel will re-establish on the secondary gw.  Again I think you need to configure two tunnels on the head-end per site, only one of which will be active at any time.  Routing can be static and should fail-over when the primary tunnel is torn down.  When ISP1 comes back, the tunnel should revert when your default gateway moves and the secondary tunnel fails (again after DPD timeout).

     

    I would also turn off DPD and instead use BFD - the *fastest* BFD can mark a tunnel down is 30 seconds.  BFD can do it in less than 1.

     

    Hope this helps



  • 18.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 06-19-2014 08:22

    Can you give me an example of both based on my example config?



  • 19.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 06-20-2014 13:19

    Any help would be appreciated



  • 20.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 07-07-2014 08:20

    So after some thought & after I had some time to read through the material, here's what I came up with....  would this work?

     

    version 11.4R7.5;
    system {
        host-name TEST
        time-zone America/New_York;
        root-authentication {
            encrypted-password "PUTYOUROWNIN";
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh {
                protocol-version v2;
            }
            telnet;
            web-management {
                https {
                    system-generated-certificate;
                }
            }
            dhcp {
                pool 10.1.130.0/24 {
                    address-range low 10.1.130.30 high 10.1.130.90;
                    name-server {
                        8.8.8.8;
                        8.8.4.4;
                    }
                    router {
                        10.1.130.1;
                    }
                }
            }
        }
        syslog {
            archive size 100k files 3;
            host 10.2.2.55 {
                any any;
                change-log none;
                interactive-commands none;
            }
            file messages {
                any any;
                authorization any;
            }
            file interactive-commands {
                interactive-commands error;
            }
            file policy_session {
                user info;
                match RT_FLOW;
                archive size 1000k world-readable;
                structured-data;
            }
            file default-log-messages {
                any any;
                structured-data;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    interfaces {
        interface-range interface-trust {
            member fe-0/0/2;
            member fe-0/0/3;
            member fe-0/0/4;
            member fe-0/0/5;
            member fe-0/0/6;
            member fe-0/0/7;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 111.111.111.2/24
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 222.222.222.2/24;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    filter {
                        input deny-ssh-https;
                    }
                    address 127.0.0.1/32;
                }
            }
        }
        st0 {
            unit 0 {
                family inet;
            }
            unit 1 {
                family inet;
            }
            unit 2 {
                family inet;
            }
            unit 3 {
                family inet;
            }
            unit 4 {
                family inet;
            }
            unit 5 {
                family inet;
            }
        }
        vlan {
            unit 0 {
                family inet {
                    address 10.1.130.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 111.111.111.1;
            route 1.2.2.0/24 next-hop st0.0 {
                qualified-next-hop st0.3 {
                    preference 200;
                }
            }
            route 1.2.3.0/24 next-hop st0.1 {
                qualified-next-hop st0.4 {
                    preference 200;
                }
            }
            route 3.3.3.0/24 next-hop st0.2 {
                qualified-next-hop st0.5 {
                    preference 200;
                }
            }
        }
    }
    protocols {
        stp;
    }
    security {
        ike {
            policy number1 {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "WHATEVER";
            }
            policy number2 {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "WHATEVER";
            }
            policy number3 {
                mode main;
                proposal-set standard;
                pre-shared-key ascii-text "WHATEVER";
            }
            gateway GW-to-number1 {
                ike-policy number1;
                address 10.10.10.10;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
            gateway GW-to-number2C {
                ike-policy number2;
                address 11.11.11.11;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
            gateway GW-to-number3 {
                ike-policy number3;
                address 12.12.12.12;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
            gateway GW-to-number1-1 {
                ike-policy number1;
                address 10.10.10.10;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/1;
            }
            gateway GW-to-number2C-1 {
                ike-policy number2;
                address 11.11.11.11;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/1;
            }
            gateway GW-to-number3-1 {
                ike-policy number3;
                address 12.12.12.12;
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/1;
            }
        }
        ipsec {
            policy number1 {
                proposal-set standard;
            }
            policy number2 {
                proposal-set standard;
            }
            policy number3 {
                proposal-set standard;
            }
            vpn number1 {
                bind-interface st0.0;
                ike {
                    gateway GW-to-number1;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 1.2.2.0/24;
                    }
                    ipsec-policy number1;
                }
                establish-tunnels immediately;
            }
            vpn number2 {
                bind-interface st0.1;
                ike {
                    gateway GW-to-number2;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 1.2.3.0/24;
                    }
                    ipsec-policy number2;
                }
                establish-tunnels immediately;
            }
            vpn number3 {
                bind-interface st0.2;
                ike {
                    gateway GW-to-number3;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 3.3.3.0/24;
                    }
                    ipsec-policy number3;
                }
                establish-tunnels immediately;
            }
            vpn number1-1 {
                bind-interface st0.3;
                ike {
                    gateway GW-to-number1-1;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 1.2.2.0/24;
                    }
                    ipsec-policy number1;
                }
                establish-tunnels immediately;
            }
            vpn number2-1 {
                bind-interface st0.4;
                ike {
                    gateway GW-to-number2-1;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 1.2.3.0/24;
                    }
                    ipsec-policy number2;
                }
                establish-tunnels immediately;
            }
            vpn number3-1 {
                bind-interface st0.5;
                ike {
                    gateway GW-to-number3-1;
                    proxy-identity {
                        local 10.1.130.0/24;
                        remote 3.3.3.0/24;
                    }
                    ipsec-policy number3;
                }
                establish-tunnels immediately;
            }
        }
        alg {
            dns disable;
            h323 disable;
            mgcp disable;
            msrpc disable;
            sunrpc disable;
            real disable;
            rsh disable;
            rtsp disable;
            sccp disable;
            sip disable;
            sql disable;
            talk disable;
            tftp disable;
            pptp disable;
        }
        flow {
            tcp-mss {
                all-tcp {
                    mss 1300;
                }
            }
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
             }
        }
        policies {
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy default-deny {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        deny;
                    }
                }
            }
            from-zone trust to-zone VPN {
                policy number1 {
                    match {
                        source-address TEST;
                        destination-address number1;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number2 {
                    match {
                        source-address TEST;
                        destination-address number2;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number3 {
                    match {
                        source-address TEST;
                        destination-address number3;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone VPN to-zone trust {
                policy number1 {
                    match {
                        source-address number1;
                        destination-address TEST;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number2 {
                    match {
                        source-address number2;
                        destination-address TEST;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
                policy number3 {
                    match {
                        source-address number3;
                        destination-address TEST;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address TEST 10.1.130.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    vlan.0;
                }
            }
            security-zone VPN {
                address-book {
                    address number1 1.2.2.0/24;
                    address number2 1.2.3.0/24;
                    address number3 3.3.3.0/24;
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    st0.0;
                    st0.1;
                    st0.2;
                    st0.3;
                    st0.4;
                    st0.5;
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                                all;
                            }
                        }
                    }
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    services {
        rpm {
            probe icmp-ping-probe {
                test ping-probe-test {
                    probe-type icmp-ping;
                    target address 8.8.8.8;
                    probe-count 3;
                    probe-interval 15;
                    test-interval 10;
                    thresholds {
                        successive-loss 3;
                        total-loss 3;
                    }
                    destination-interface ge-0/0/0.0;
                }
            }
        }
        ip-monitoring {
            policy test {
                match rpm-probe icmp-ping-probe;
                then preferred-route route 0.0.0.0/0 next-hop 222.222.222.1;
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface vlan.0;
        }
    }

     

    This is the side with the dual ISP.  The other side only has one ISP.  I understand that the other side will have to look something like this

    security {
        ike {
            gateway GW-to-TEST {
                ike-policy TEST;
                address [ 111.111.111.112 222.222.222.222 ];
                dead-peer-detection {
                    always-send;
                    threshold 3;
                }
                external-interface ge-0/0/0;
            }
    }
    }

     



  • 21.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 07-08-2014 12:25

    Well.... I will be testing this next week.  Wish me luck (or if you notice anything wrong let me know before I crash and burn).  



  • 22.  RE: SRX VPN Tunnels redundancy with dual ISP

     
    Posted 07-09-2014 05:22

    You may run into issues with that config.

     

    The ip-monitoring part is fine, but your IPSEC tunnels all have "external-interface ge-0/0/0.0" which will not be true if you fail over to ISP2.  It *may* still work (haven't tested this scenario in a while), but if it doesn't, you'll need to create a tunnel for ISPA and another for ISPB at the head-end.

     

    If your PSKs are the same, for both tunnels, the remote site should be able to stay the same (with the backup IKE gateways as you have them).



  • 23.  RE: SRX VPN Tunnels redundancy with dual ISP

    Posted 07-09-2014 06:49

    Ok.  I can always configure the other tunnels on the head end if it doesn't work.  We will find out next week.  Smiley Happy