Thanks, I thought about this as plan "B" because this not fully fit. My mistake is I did not showed full config.
Is such configuration possible? I did not find how to do that..
Original Message:
Sent: 12-23-2020 06:57
From: Unknown User
Subject: 2 IKE gateways via 2 different ISPs
just add static route ( most specific ) /32 to remote site
Original Message:
Sent: 12-23-2020 06:43
From: Unknown User
Subject: 2 IKE gateways via 2 different ISPs
Yes, remote side is one device (HUB) with 2 ISPs.
VPN is route based, many spokes connected to HUB. All these spokes with single ISP. But only one recently was connected with second ISP due to bad connectivity conditions.
Original Message:
Sent: 12-23-2020 06:30
From: Unknown User
Subject: 2 IKE gateways via 2 different ISPs
how is your vpn setup ? is it P2P or P2M ? is your firewall ( two vpn ) configured with same gateway ( remote side ) ?
Original Message:
Sent: 12-23-2020 06:16
From: Unknown User
Subject: 2 IKE gateways via 2 different ISPs
Hi community,
Please help to find solution
I have two ISPs, connected via ge-0/0/0 (ISP-1) and ge-0/0/1 (ISP-2), configured static route:
route 0.0.0.0/0 { next-hop <Gateway ISP-2 via ge-0/0/1.0> ; qualified-next-hop <Gateway ISP-1 via ge-0/0/0.0> { preference 10; } }
2 IKE gateways congigured to use these 2 interfaces as external interfaces:
gateway gw-primary { ike-policy ike-pol-a; address <HUB IP Address>; dead-peer-detection { interval 10; threshold 5; } nat-keepalive 10; local-identity hostname mo-pvl-pri; external-interface ge-0/0/1.0; } gateway gw-secondary { ike-policy ike-pol-a; address <HUB IP Address>; dead-peer-detection { interval 10; threshold 5; } nat-keepalive 10; local-identity hostname mo-pvl-sec; external-interface ge-0/0/0.0; }
The problem is IKE session from gw-secondary goes out thru interface ISP-2 via ge-0/0/1.0 as per static default route, but using source address of ISP-1 ge-0/0/0.0
Here is session details:
admin@SRX> show security flow session destination-prefix <HUB IP Address> Session ID: 25, Policy name: self-traffic-policy/1, Timeout: 50, Valid In: <ISP-1 IP>/500 --> <HUB IP Address>/500;udp, If: .local..0, Pkts: 6151, Bytes: 3216973 Out: <HUB IP Address>/500 --> <ISP-1 IP>/500;udp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
How to make interface ge-0/0/0.0 to be egress interface for gateway gw-secondary and keep interface ge-0/0/1.0 as egress interface for gateway gw-primary?
Is it really possible?
Thank you in advance!
Dmitry.