ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

I have a Juniper SSG-320 FW. I would like to create to IPSec tunnels to another office. One is primary and the other one is secondary. The remote destination subnet is the same because its an office. If the primary tunnels fails then I want the secondary tunnel to become primary. Is this possible with metrics and does it have to be route based VPN or policy based. See diagram

 

Attachments

10 REPLIES 10
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

Hello Gilles,

 

I don't understand this part - The remote destination subnet is the same because its an office.

 

I can see that the destination network is 192.168.1.0/24 and the source network is 10.10.10.x/24. I don't see any overlapping subnets in your topology. Could you please clarify this once?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

Sorry. Disregard that sentence. There is no overlap. You can just refer to the diagram I posted. Is it possible to have this setup.

 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

From your SSG if you have two external interfaces(say eth0 and eth1) connecting Cisco Router-1 and Cisco Router-2 then it is pretty straightforward. Create 2 Route-based VPN.

 

If you have only one external interface on your SSG and you are trying to form the VPN between two peers then you need point-to-multipoint VPN. Please check the following document - https://kb.juniper.net/kb/documents/public/VPN/routebasedhubandspokevpn_rev_1_3.pdf



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

Thanks. That document helps. My setup would be a multi point. Also, for both the metric and preference. Which is preferred? Higher or lower

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

For a straight up primary and backup vpn as in your diagram you can use the ScreenOS group feature.  I have a configuration outline posted on my blog.

 

http://puluka.com/home/networking/screenos/screenos-redundant-internet-connections-on-a-policy-vpn/

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author egilles
2 weeks ago

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

Hi Gilles,

 

When you have two routes towards the same destination in your routing table given by two different protocols. e.g. Static route and BGP route. and if you want to choose one route as Active, Route Preference can be used to achieve that. Lowest Preference is give the Highest priority.

 

When you have two routes towards the same destination in your routing table given by the same protocol. e.g. two static routes and if you want to make one as Active, you can use Route Metric. Lowest Metric is given the Highest priority. 



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

Thank you very much! Does this configuration also work on the Juniper SRX. If so, do you have documentation on the SRX configuration, or is the same as the SSG. 

 

Is there also a way to import/export an IPSec tunnel configuration from one Juniper to another.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

This configuration example is only applicable on ScreenOS.  This feature uses policy based vpn with active/passive failover.

 

The feature was never migrated to the SRX/Junos platform.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago
But can the SRX do some kind of IPsec tunnel failover.

Sent from Samsung Note
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Creating 2 IPSec tunnels as primary and secondary to a remote office on a Juniper SSG-320M

2 weeks ago

Hello Gilles,

 

Yes, we can configure primary/backup VPN in SRX and route failover is supported with IP monitoring feature.

 

[J/SRX] Example – Configuring a primary and backup VPN with route failover using ip-monitoring

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227&cat=SRX_650&actp=LIST



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Feedback