I have one HQ which is designeds DC and DR for geo-location redundancy. I would like to connect all branches to both DC and DR. I need you suggestion during doing solution design.
1. I would create two ipsec tunnel on router. Remote IP will be an IPaddress for destined MX router. I have an idea for doing Active/Active or Active/Standby tunnel
In case of Actice/Active, If I have many subnet from source, Can I write a rule to select some traffic go through tunnel 1 and another traffic go through tunnel 2? Any idea for load sharing traffic on both two tunnels?
In case of Active/Standby, I will use RPM for detection destined IP. If primary tunnel is unreachable, traffic will be forward through secondary tunnel.
2. If I have 1000+ branches, I dont want to manually create IPsec tunnel. Any idea for this? Auto VPN can be used instead manually configure?
Anyway, Thank you for your suggestion and sharing your idea !
I suggest you create active/active tunnels then use BGP across the route based tunnels to steer the traffic using local preference on your policies. Then failover will automatically occur when the primary tunnel is lost for any reason as the BGP peer will also drop and the backup routes will take over.
First thing you want to do is setup dynamic VPN on the MX router using RSA signature for authentication. Whether you have one, ten, or one thousand branch offices, you only need to define a single gateway in your IPSec configuration.
see sample below (had to mask some items since they are named using my customers)
First, the IPSec policies
The access profile
The key here is you have to have a private Certificate Authority (Windows 2016/2020 Server can be configured as one) so you can hand out digital certificates like candies to your routers.
The one I have is for a three hub MX routers with 25 branches (each branch has at least two MX peers, can be scaled to three if need be). If I need to add 10 more, all I need to add on my config is the proxy-pair pertinent to those new branches. You get the point.
The BGP configuration is the easy part. Each branch would have two BGP peers, and you can prefer one over the other via some routing policies