Expand all | Collapse all

Branch connect via IPsec on MX - redundancy needed

Jump to Best Answer
  • 1.  Branch connect via IPsec on MX - redundancy needed

    Posted 05-10-2020 08:20

    I have one HQ which is designeds DC and DR for geo-location redundancy. I would like to connect all branches to both DC and DR. I need you suggestion during doing solution design.


    1. I would create two ipsec tunnel on router. Remote IP will be an IPaddress for destined MX router. I have an idea for doing Active/Active or Active/Standby tunnel


    In case of Actice/Active, If I have many subnet from source, Can I write a rule to select some traffic go through tunnel 1 and another traffic go through tunnel 2? Any idea for load sharing traffic on both two tunnels?


    In case of Active/Standby, I will use RPM for detection destined IP. If primary tunnel is unreachable, traffic will be forward through secondary tunnel. 


    2. If I have 1000+ branches, I dont want to manually create IPsec tunnel. Any idea for this? Auto VPN can be used instead manually configure?


    Anyway, Thank you for your suggestion and sharing your idea !

  • 2.  RE: Branch connect via IPsec on MX - redundancy needed
    Best Answer

    Posted 05-10-2020 15:07

    I suggest you create active/active tunnels then use BGP across the route based tunnels to steer the traffic using local preference on your policies.  Then failover will automatically occur when the primary tunnel is lost for any reason as the BGP peer will also drop and the backup routes will take over.


  • 3.  RE: Branch connect via IPsec on MX - redundancy needed

    Posted 05-11-2020 13:56

    First thing you want to do is setup dynamic VPN on the MX router using RSA signature for authentication. Whether you have one, ten, or one thousand branch offices, you only need to define a single gateway in your IPSec configuration.


    see sample below (had to mask some items since they are named using my customers)


    First, the IPSec policies



    The access profile



    Tunnel interface



    Trusted CA



    The key here is you have to have a private Certificate Authority (Windows 2016/2020 Server can be configured as one) so you can hand out digital certificates like candies to your routers.


    The one I have is for a three hub MX routers with 25 branches (each branch has at least two MX peers, can be scaled to three if need be). If I need to add 10 more, all I need to add on my config is the proxy-pair pertinent to those new branches. You get the point.


    The BGP configuration is the easy part. Each branch would have two BGP peers, and you can prefer one over the other via some routing policies