Friday, April 17, 2009

Redundante VPN tunnels

I made a other movie explaining how redundante vpn's work on juniper firewalls.

hope you enjoy it.


echo said...

Hey, thanks for sharing that to people!

I have a question, though. You said you have to use two virtual routers. But I remember that once, many months ago, I tried to do the redundant V-shaped tunnel (one office has one ISP, another has two) using tunnel interfaces and different routing preferences, and it worked --- in one virtual router. I just made two different tunnels in both VPN devices (Juniper SSG-5).

About load-sharing. I think if I make the routing preferences equal, then this is load-sharing tunnel (if both connections are active in the office with two connections; and maybe is ECMP needed, don't know), but if I make one of them higher, then this is active-passive redundancy.

Or did you mean something else, in more general means or smth., why you had to use two virtual routers?

Wim De Smet (aka Frac) said...


the problem is when your remote office doesn't have a static ip. which isp will the central site use to connect to remote ip? if you have 2 isp, you have 2 gateways.

You can choose one, but then both vpn's are made over the same isp.

When we have 2 vrouters i can make 2 default-gateways (in each vrouter for each isp).

Now each vpn will use his outgoing interface (which is bound to vrouter) to send out packets. Because each vrouter has a default-gateway they can reach every destination ip.

On the load-sharing topic. Only one route will be active. (even if there are 2 routes. (with ecmp you can tell how many routes he must make active with same preference and metric)

hope this makes it clear.