We have two separate networks with SRXes on both sides (router, firewall, and site2sitevpn).
On one side (Site A), we have two ISPs (BGP), and currently the VPN is setup to the IP address of one of our ISP (ISP1). but if ISP1 line should go down our VPN also goes down. is there a way to Automatically change the VPN tunnel IP address to the IP of the second ISP (ISP2) in the event that ISP1 should go down? or is that a stupid way to do it?
Is is perhaps better to setup a 2nd VPN tunnel to the ISP2 IP address? if so, how can I automatically start the 2nd VPN if 1st fail?
Map:
PS: site A has its own AS and ip series, and used BGP to route traffic to/from the two ISPs
UPDATE 1:
I have some clarifications, and also some new information (to futher complicate things).
1) SITE A has only one SRX, with each ISP on a separate port.
ge-0/0/4 = isp1
ge-0/0/3 = isp2
today the site2site vpn St0 (used ip range 192.168.21.0/30 on the vpn), uses only isp1, but I would like to have isp2 as a backup.
2) Site B actually only has one ISP, but they have given us 2 different IP addresses, one of the addresses uses a special routing to their upstream provider (but only that network!), wheras the other IP address uses BGP and will use whatever routing upstream work.. so we have
vlan.12 ip address 1) 6.6.6.6/29 (the one we use today)
vlan.12 ip address 2) 5.5.5.5/29 (another ip we also want to use).
So, the ip 6.6.6.6 gives us very fast speeds between the offices, as the route goes to the shortes path.. but it is limited to one provider, so the chance that it goes down is quite high. ip 5.5.5.5 is quite a bit slower, but is more robust to faults between the two networks.
In the image above, you can see in red where the site2site vpn goes today. So in the end I would like to have redundancy so that all 4 combinations should work.
- WAN1 – WAN-A
- WAN1 – WAN-B
- WAN2 – WAN-A
- WAN2 – WAN-B
noteA: vlan.12 is just a vlan that could easily have been a port such as ge-0/0/2, I have just setup the vlan to be able to use other physical ports on the SRX just in case.
noteB: SITE B only uses one physical port to one and same ISP, but uses two different IP addresses.
thanks again for the help so far. I will setup a service window to test tome of these things soon.
update2:
BGP setup on SiteA:
protocols {
bgp {
group bgp-ISP2 {
preference 290;
local-address 8.8.8.9;
log-updown;
import import-bgp-ISP2;
authentication-key "somekey"; ## SECRET-DATA
peer-as <ASNUMBER>;
neighbor 8.9.7.6 {
export export-bgp-ISP2;
}
}
group bgp-ISP1 {
preference 250;
local-address 7.7.7.8;
log-updown;
import import-bgp-ISP1;
authentication-key "somekey"; ## SECRET-DATA
peer-as <ASNUMBER>;
neighbor 7.8.9.1 {
export export-bgp-ISP1;
}
}
}
}
Best Answer
Junos does have DPD and you can use it in conjunction with multiple endpoint IP addresses in a single IKE tunnel.
There is a bit of info about it here (which I've copied below)
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29211&actp=RSS
SUMMARY: This article explains how redundancy in site-to-site VPN can be achieved using multiple address in gateway and dead-peer-detection.
PROBLEM OR GOAL: How to use different modes of dead-peer-detection for VPN failover .
CAUSE:
SOLUTION: The gateway for VPN redundancy can be configured with the following commands :
The first address in the order of configuration is the one chosen to negotiate the tunnel:
The above configuration is in dead-peer-detection optimal mode. It sends probes if packets were sent out (encrypted packets), but no packets were received (decrypted) for the configured interval. Three probe-packets are sent at 10 second intervals.
As soon as the tunnel drops, dead-peer-detection comes into play. If a response is not received from the peer in 30 seconds, the failover takes place and the tunnel is negotiated with 3.3.3.1 and vice-versa.
Always-Send mode for dead-peer-detection:
In order to instruct the device to send dead-peer-detection requests, regardless of whether or not there is outgoing IPSec traffic to the peer, the following command is also needed:
UPDATE
I have configured this in a test lab and confirm that it works well. I have 3 devices, S3, S4 and S5.
S4 and S5 both have a basic IPSEC tunnel configured to connect to S3 (7.7.7.22 in my example). The config is dead simple and the same on both devices
The device S3 has a config that is very similar to the above but has 2 gateways listed and DPD enabled.
The relevant section is in the IKE config
This brings up the tunnel as such
If I deactivate the IKE/IPSEC config sections on S4 the tunnel drops and then comes back up connected to the 2nd gateway
Then after about 30 seconds (10 x 3)
If you need any help post some config snippets and I'll do my best to have a look!
UPDATE 2
I have built this whole thing in a mini lab. The problem I have found is that while you can use multiple gateways in your IKE configuration you will still need to have an IPSEC tunnel per ISP on each device. This is because you have multiple source IP addresses you want to potentially make an IPSEC tunnel from.
To save me posting a lot of config each SRX (A and B) has two IPSEC tunnels configured as shown below. The things to note are I'm using a single tunnel interface on each device, these are set to multipoint. You could use multiple ones if you wanted.
This config will provide full redundancy if a single ISP at site A and/or site B goes down.
I tested this by dropping the linked between SRX-A and SRX-1 and then dropping SRX-B and SRX-4. Due to me using BGP and DPD it took just over a minute for the tunnel to come back up but worked well!
Hopefully this will ultimately help you sort out your config!
SRX-A IPSEC Config