Placebo: Redundante VPN tunnels

Friday, April 17, 2009

Redundante VPN tunnels

I made a other movie explaining how redundante vpn's work on juniper firewalls.

hope you enjoy it.

2 comments:

Riivo Must said...: Hey, thanks for sharing that to people!

I have a question, though. You said you have to use two virtual routers. But I remember that once, many months ago, I tried to do the redundant V-shaped tunnel (one office has one ISP, another has two) using tunnel interfaces and different routing preferences, and it worked --- in one virtual router. I just made two different tunnels in both VPN devices (Juniper SSG-5).

About load-sharing. I think if I make the routing preferences equal, then this is load-sharing tunnel (if both connections are active in the office with two connections; and maybe is ECMP needed, don't know), but if I make one of them higher, then this is active-passive redundancy.

Or did you mean something else, in more general means or smth., why you had to use two virtual routers?; April 21, 2009 at 12:23 PM
Wim De Smet (aka Frac) said...: Hi,

the problem is when your remote office doesn't have a static ip. which isp will the central site use to connect to remote ip? if you have 2 isp, you have 2 gateways.

You can choose one, but then both vpn's are made over the same isp.

When we have 2 vrouters i can make 2 default-gateways (in each vrouter for each isp).

Now each vpn will use his outgoing interface (which is bound to vrouter) to send out packets. Because each vrouter has a default-gateway they can reach every destination ip.

On the load-sharing topic. Only one route will be active. (even if there are 2 routes. (with ecmp you can tell how many routes he must make active with same preference and metric)

hope this makes it clear.

GreetZ; May 4, 2009 at 1:29 PM

Subscribe to: Post Comments (Atom)