SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:17

    Hi community,

    Please help to find solution

    I have two ISPs, connected via ge-0/0/0 (ISP-1) and ge-0/0/1 (ISP-2), configured static route:

            route 0.0.0.0/0 {
                next-hop <Gateway ISP-2 via ge-0/0/1.0> ;
                qualified-next-hop <Gateway ISP-1 via ge-0/0/0.0> {
                    preference 10;
                }
            }
    

    2 IKE gateways congigured to use these 2 interfaces as external interfaces:

            gateway gw-primary {
                ike-policy ike-pol-a;
                address <HUB IP Address>;
                dead-peer-detection {
                    interval 10;
                    threshold 5;
                }
                nat-keepalive 10;
                local-identity hostname mo-pvl-pri;
                external-interface ge-0/0/1.0;
            }
            gateway gw-secondary {
                ike-policy ike-pol-a;
                address <HUB IP Address>;
                dead-peer-detection {
                    interval 10;
                    threshold 5;
                }
                nat-keepalive 10;
                local-identity hostname mo-pvl-sec;
                external-interface ge-0/0/0.0;
            }
    

    The problem is IKE session from gw-secondary goes out thru interface ISP-2 via ge-0/0/1.0 as per static default route, but using source address of ISP-1 ge-0/0/0.0

    Here is session details:

    admin@SRX> show security flow session destination-prefix <HUB IP Address> 
    Session ID: 25, Policy name: self-traffic-policy/1, Timeout: 50, Valid
      In: <ISP-1 IP>/500 --> <HUB IP Address>/500;udp, If: .local..0, Pkts: 6151, Bytes: 3216973
      Out: <HUB IP Address>/500 --> <ISP-1 IP>/500;udp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
    

    How to make interface ge-0/0/0.0 to be egress interface for gateway gw-secondary and keep interface ge-0/0/1.0 as egress interface for gateway gw-primary?

    Is it really possible?

    Thank you in advance!

    Dmitry.



  • 2.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:30

    how is your vpn setup ?  is it P2P or P2M  ? is your firewall ( two vpn ) configured with same gateway ( remote side ) ?




  • 3.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:44

    Yes, remote side is one device (HUB) with 2 ISPs.

    VPN is route based, many spokes connected to HUB. All these spokes with single ISP. But only one recently was connected with second ISP due to bad connectivity conditions.




  • 4.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:48

    You may simply add a /32 static route for the 'gw-secondary' Hub ip via ge-0/0/0 




  • 5.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 06:58

    just add static route ( most specific ) /32 to remote site 




  • 6.  RE: 2 IKE gateways via 2 different ISPs

    Posted 12-23-2020 07:14

    Thanks, I thought about this as plan "B" because this not fully fit. My mistake is I did not showed full config. 

    Actually I have 4 gateways:

    gw-primary (to remote ISP-1 via local ISP-1)

    gw-secondary (to remote ISP-2 via local ISP-1)

    gw-secondary2 (to remote ISP-1 via local ISP-2)

    gw-secondary3 (to remote ISP-2 via local ISP-2)

    I wanted to build something like full mesh - each to each

    In case of adding static route /32 to remote site some pair of gateways will not work...

    Is such configuration possible? I did not find how to do that..