SRX

Hi all,

May i know whether the SRX have feature to aggregate/bundle the IPSEC VPN tunnel same like fortiget in URL below? If can appreciate if someone can share the url that i can refer. Thanks and appreciate someone help.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing

No, I don't think so ... :-(

You can do dynamic routing or maybe even AppQoE (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-appqoe.html), but it's not as clean and simple as aggregate VPN tunnels... Sigh...

Hi all,

May i know whether the SRX have feature to aggregate/bundle the IPSEC VPN tunnel same like fortiget in URL below? If can appreciate if someone can share the url that i can refer. Thanks and appreciate someone help.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing

Hi Nikolay,

Noted. Thanks for your feedback. Look like i need to propose Fortinet due to that feature.

No, I don't think so ... :-(

You can do dynamic routing or maybe even AppQoE (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-appqoe.html), but it's not as clean and simple as aggregate VPN tunnels... Sigh...

Hi all,

May i know whether the SRX have feature to aggregate/bundle the IPSEC VPN tunnel same like fortiget in URL below? If can appreciate if someone can share the url that i can refer. Thanks and appreciate someone help.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing

It is quite easy to implement ECMP over IPsec too, so no need to go to FortiNet for that. ECMP over OSPF or BGP is commonplace and guides are available. If the goal here is to have a check box in the GUI to enable load sharing, go with Forti. If you want robust and configurable routing, go with Juniper.

B.t.w. FortiNet's guide you point to will give you a tunnel with IKE v1 in aggressive mode and DH group 14. That's not secure. You need to tweak the commands to bump up security. IKE v1 and DH14 is the default (in 7.6.3) so easily overlooked, but why configure aggressive mode in a guide???

Hi Nikolay,

Noted. Thanks for your feedback. Look like i need to propose Fortinet due to that feature.

No, I don't think so ... :-(

You can do dynamic routing or maybe even AppQoE (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-appqoe.html), but it's not as clean and simple as aggregate VPN tunnels... Sigh...

Hi all,

May i know whether the SRX have feature to aggregate/bundle the IPSEC VPN tunnel same like fortiget in URL below? If can appreciate if someone can share the url that i can refer. Thanks and appreciate someone help.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing

Hi @fb35523,

Are u referring to this url https://supportportal.juniper.net/s/article/SRX-How-to-configure-IPsec-VPN-to-work-with-ECMP-Route-based?language=en_US ?

Thanks

It is quite easy to implement ECMP over IPsec too, so no need to go to FortiNet for that. ECMP over OSPF or BGP is commonplace and guides are available. If the goal here is to have a check box in the GUI to enable load sharing, go with Forti. If you want robust and configurable routing, go with Juniper.

B.t.w. FortiNet's guide you point to will give you a tunnel with IKE v1 in aggressive mode and DH group 14. That's not secure. You need to tweak the commands to bump up security. IKE v1 and DH14 is the default (in 7.6.3) so easily overlooked, but why configure aggressive mode in a guide???

Hi Nikolay,

Noted. Thanks for your feedback. Look like i need to propose Fortinet due to that feature.

No, I don't think so ... :-(

You can do dynamic routing or maybe even AppQoE (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-appqoe.html), but it's not as clean and simple as aggregate VPN tunnels... Sigh...

Hi all,

May i know whether the SRX have feature to aggregate/bundle the IPSEC VPN tunnel same like fortiget in URL below? If can appreciate if someone can share the url that i can refer. Thanks and appreciate someone help.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing

Hi!

That is one option and an easy one. I must say, (to my "proxied" embarrassment on Juniper's behalf) that the cryptos in that guide are way worse than in the Forti one :) Well, that's not the main topic and as you can see, there is very little extra config involved to get ECMP working. If you don't want to run BGP or OSPF (or ISIS) in the whole network, you can do it only on the IPsec links and advertise whatever routes you need on them.

I hope this helps! /Fredrik

Hi @fb35523,

Are u referring to this url https://supportportal.juniper.net/s/article/SRX-How-to-configure-IPsec-VPN-to-work-with-ECMP-Route-based?language=en_US ?

Thanks

It is quite easy to implement ECMP over IPsec too, so no need to go to FortiNet for that. ECMP over OSPF or BGP is commonplace and guides are available. If the goal here is to have a check box in the GUI to enable load sharing, go with Forti. If you want robust and configurable routing, go with Juniper.

B.t.w. FortiNet's guide you point to will give you a tunnel with IKE v1 in aggressive mode and DH group 14. That's not secure. You need to tweak the commands to bump up security. IKE v1 and DH14 is the default (in 7.6.3) so easily overlooked, but why configure aggressive mode in a guide???

Hi Nikolay,

Noted. Thanks for your feedback. Look like i need to propose Fortinet due to that feature.

No, I don't think so ... :-(

You can do dynamic routing or maybe even AppQoE (https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-appqoe.html), but it's not as clean and simple as aggregate VPN tunnels... Sigh...

Hi all,

May i know whether the SRX have feature to aggregate/bundle the IPSEC VPN tunnel same like fortiget in URL below? If can appreciate if someone can share the url that i can refer. Thanks and appreciate someone help.

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/779544/ipsec-aggregate-for-redundancy-and-traffic-load-balancing