We have plan to install Juniper SRX550 in our core. Our requirement is -
- Redundant IPSec tunnels for same destination LAN using 2 separate uplinks.
- IPSec have to be policy based, because our clinet currently using policy based IPSec.
Problems:
-I have found in my demo network that, if any link goes down other tunnel automatically go in active mode to pass the traffic. But I am not sure, how these 2 are acting as redundant to each other. Because i didn't configured any auto fail over protocols or anything not evern dead timer.
- I have set my gateway to reach remote LAN using static route but not sure how my 1.1.10/30 can pass traffic when my static route assigned to 5.5.5.0/30.
routing-options {
static {
route 0.0.0.0/0 next-hop 5.5.5.6;
}
}
Want if i want to use dynamic routing protocol to reach remote LAN?
My total configuration are below. Please advice.
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.1/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 5.5.5.5/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 192.168.253.191/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 5.5.5.6;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
}
}
security {
ike {
policy IKE-POLICY {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$Q3hB3CuOBESrv69tO"; ## SECRET-DATA
}
policy IKE-POLICY-2 {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$pEe3ORSdVYoaU-dk.5T3n"; ## SECRET-DATA
}
gateway IKE-GW {
ike-policy IKE-POLICY;
address 2.2.2.2;
external-interface ge-0/0/0.0;
}
gateway IKE-GW-2 {
ike-policy IKE-POLICY-2;
address 6.6.6.6;
external-interface ge-0/0/1.0;
}
}
ipsec {
policy IPSec-POLICY {
perfect-forward-secrecy {
keys group2;
}
proposal-set standard;
}
vpn VPN-1 {
ike {
gateway IKE-GW;
ipsec-policy IPSec-POLICY;
}
establish-tunnels immediately;
}
vpn VPN-2 {
ike {
gateway IKE-GW-2;
ipsec-policy IPSec-POLICY;
}
establish-tunnels immediately;
}
}
policies {
from-zone LAN to-zone WAN {
policy UPLINK-2 {
match {
source-address LOCAL;
destination-address REMOTE;
application any;
}
then {
permit {
tunnel {
ipsec-vpn VPN-2;
pair-policy DOWNLINK-2;
}
}
}
}
policy UPLINK {
match {
source-address LOCAL;
destination-address REMOTE;
application any;
}
then {
permit {
tunnel {
ipsec-vpn VPN-1;
pair-policy DOWNLINK;
}
}
}
}
}
from-zone WAN to-zone LAN {
policy DOWNLINK-2 {
match {
source-address REMOTE;
destination-address LOCAL;
application any;
}
then {
permit {
tunnel {
ipsec-vpn VPN-2;
pair-policy UPLINK-2;
}
}
}
}
policy DOWNLINK {
match {
source-address REMOTE;
destination-address LOCAL;
application any;
}
then {
permit {
tunnel {
ipsec-vpn VPN-1;
pair-policy UPLINK;
}
}
}
}
}
}
zones {
security-zone WAN {
address-book {
address REMOTE 20.20.20.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/3.0;
ge-0/0/0.0;
ge-0/0/1.0;
}
}
security-zone LAN {
address-book {
address LOCAL 10.10.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0;
}
}
}
}