Hi all,
I am new to this forum so excuse me if I make some type errors.
Before asking the question some information on what to achieve.
There are multiple locations, Location A and Location B. Also there are more than two locations.
Location A has a SSG 5
Location B had a SSG 140
The SSG 5 has three network connections
- Untrust (Public IP)
- Trust (Local network) (192.168.20.x)
- DMZ (Private network that connects all locations with each other)
The SSG 140 has four network connections
- Untrust (Public IP)
- Trust (Local network) (192.168.30.x)
- DMZ1 (Private network that connects all locations with each other
- DMZ2 (Network with some servers)
All locations are in the 192.168.0.0/16
So the situation works fine.
If a computer in location A with the SSG 5 wants to go to a computer in Location B it goes out via the DMZ
At location B the packets are entering via DMZ1 and it all works perfect.
Now the rather difficult part, a little bit hard to explain but I'll try
I need to make a VPN that does exactly the same as DMZ on SSG5 and DMZ1 on the SSG140.
Simply said, both connections (DMZ and the VPN via Untrust over Internet) have to be active and traffic have to be separated. High priority traffic always have to go via the DMZ (Like Citrix and DHCP), less priority traffic must go via the new created VPN.
It also has to failover if a connection fails.
- if internet fails, the VPN fails so traffic always has to go via the DMZ from Location A to another.
The first configuration I tried was by adding an numbered interface at both endpoints and created the VPN, somehow, not exactly sure why it didn't work out that way and all packets via the VPN over internet had a AGE OUT.
The VPN interfaces I created were all in the custom created VPN zone.
Since it did't work out i tried another way.
I deleted the VPN zone and the interfaces. Next thing I did was binding the new created vpn on the untrust interface.
Without a tunnel interface and binding it to the untrust interface it began to work.
I created a birectional policy and added destination hosts that were not allowed using that connection.
The destination routing sais this:
192.168.0.0/16 prio 30 to DMZ
192.168.20.0/24 prio 20 to (GLOBAL IP SSG 140)
This works and both lines are active.
The problem:
Since the tunnel is not over an interface but binded to the untrust interface the Juniper never knows when to deactivate the destination route to the (GLOBAL IP SSG 140).
If this was a tunnel.1 than the routing tables would look different and the SSG can deactivate that destination. Because the routing table would look like this.
192.168.20.0/24 prio 20 to tunnel.1
Is there any way separate traffic between DMZ and a tunnel.1 interface and keep both interfaces active?
The routing never failsover the way I implemented this situation.
The routing destinations on the VPN over internet must be deactivated the moment the line goes down.
Thanks in advance!
#active#vpn#Separate