SRX

Expand all | Collapse all

2 IKE gateways via 2 different ISPs

  • 1.  2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:17

    Hi community,

    Please help to find solution

    I have two ISPs, connected via ge-0/0/0 (ISP-1) and ge-0/0/1 (ISP-2), configured static route:

            route 0.0.0.0/0 {
                next-hop <Gateway ISP-2 via ge-0/0/1.0> ;
                qualified-next-hop <Gateway ISP-1 via ge-0/0/0.0> {
                    preference 10;
                }
            }
    

    2 IKE gateways congigured to use these 2 interfaces as external interfaces:

            gateway gw-primary {
                ike-policy ike-pol-a;
                address <HUB IP Address>;
                dead-peer-detection {
                    interval 10;
                    threshold 5;
                }
                nat-keepalive 10;
                local-identity hostname mo-pvl-pri;
                external-interface ge-0/0/1.0;
            }
            gateway gw-secondary {
                ike-policy ike-pol-a;
                address <HUB IP Address>;
                dead-peer-detection {
                    interval 10;
                    threshold 5;
                }
                nat-keepalive 10;
                local-identity hostname mo-pvl-sec;
                external-interface ge-0/0/0.0;
            }
    

    The problem is IKE session from gw-secondary goes out thru interface ISP-2 via ge-0/0/1.0 as per static default route, but using source address of ISP-1 ge-0/0/0.0

    Here is session details:

    admin@SRX> show security flow session destination-prefix <HUB IP Address> 
    Session ID: 25, Policy name: self-traffic-policy/1, Timeout: 50, Valid
      In: <ISP-1 IP>/500 --> <HUB IP Address>/500;udp, If: .local..0, Pkts: 6151, Bytes: 3216973
      Out: <HUB IP Address>/500 --> <ISP-1 IP>/500;udp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
    

    How to make interface ge-0/0/0.0 to be egress interface for gateway gw-secondary and keep interface ge-0/0/1.0 as egress interface for gateway gw-primary?

    Is it really possible?

    Thank you in advance!

    Dmitry.



  • 2.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:30

    how is your vpn setup ?  is it P2P or P2M  ? is your firewall ( two vpn ) configured with same gateway ( remote side ) ?




  • 3.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:44

    Yes, remote side is one device (HUB) with 2 ISPs.

    VPN is route based, many spokes connected to HUB. All these spokes with single ISP. But only one recently was connected with second ISP due to bad connectivity conditions.




  • 4.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:48
    -------------------------------------------
    Original Message:
    Sent: 12-23-2020 06:43
    From: Unknown User
    Subject: 2 IKE gateways via 2 different ISPs




  • 5.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:58

    just add static route ( most specific ) /32 to remote site 




  • 6.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 07:14
    -------------------------------------------
    Original Message:
    Sent: 12-23-2020 06:57
    From: Unknown User
    Subject: 2 IKE gateways via 2 different ISPs