Hi All... i have been trying to create two active IPSec tunnels via two ISPs to another SRX with a single ISP connection, is this even possible?
public ip x.x.x.x st0.0------ISPA-------- st0.0
SRXA ISPZ public ip z.z.z.z ---- SRXB
public ip y.y.y.y st0.1-------ISPB------ st0.1
the problem i have is with traffic routing out of SRXA it has to build two seperate IPSec tunnels to a single desination IP address.. It is obviously prefering a single egress interface via ISPA to build the IPSec tunnel to SRXB.... but is there a way to force traffic out via the other ISPB to build the second IPSec tunnel??
was thinking around source based routing etc.. but it would be for traffic sourced from the SRX itself and as we are using the same destination address it won't work..
Yes, definitely possible since at least 2011
thanks so seperate VRFs are requires to build the tunnels... this is basically to set up redundancy, so we have two IPSec tunnels always up with BGP running over them, then use BGP for determining which tunnel to use... though with the tunnels and BGP instances being in different VRFs, is this the best way to go?
I agree as you note that since the remote side has a single ip address you will need to put the second ISP into a virtual router routing instance so that you can have both tunnels running at the same time.
You can then use logical tunnels to connect that virtual router to your main router and do the routing exchanges and priorities you prefer for the connection usage.