![]() Set interface tunnel.3 protocol link-type p2p Set interface tunnel.3 protocol ospf cost 3 Set interface tunnel.3 protocol ospf priority 30 Set interface tunnel.3 protocol ospf enable Set interface tunnel.3 protocol ospf area 0.0.0.0 Set interface tunnel.2 protocol link-type p2p Set interface tunnel.2 protocol ospf cost 2 Set interface tunnel.2 protocol ospf priority 20 Set interface tunnel.2 protocol ospf enable Set interface tunnel.2 protocol ospf area 0.0.0.0 Set interface tunnel.1 protocol link-type p2p Set interface tunnel.1 protocol ospf cost 1 ![]() Set interface tunnel.1 protocol ospf priority 10 Set interface tunnel.1 protocol ospf enable Set interface tunnel.1 protocol ospf area 0.0.0.0 ![]() Set vrouter trust-vr protocol ospf enable Set vpn "Site-A_SEC-Site-B_SEC IKE" id 0x5 bind interface tunnel.4 Set vpn "Site-A_SEC-Site-B_SEC IKE" monitor optimized rekey Set vpn "Site-A_SEC-Site-B_SEC IKE" gateway "Site-A_SEC-Site-B_SEC" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" Set vpn "Site-A_PRI-Site-B_SEC IKE" id 0x4 bind interface tunnel.3 Set vpn "Site-A_PRI-Site-B_SEC IKE" monitor optimized rekey Set vpn "Site-A_PRI-Site-B_SEC IKE" gateway "Site-A_PRI-Site-B_SEC" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" Set vpn "Site-A_SEC-Site-B_PRI IKE" dscp-mark 0 Set vpn "Site-A_SEC-Site-B_PRI IKE" id 0x3 bind interface tunnel.2 Set vpn "Site-A_SEC-Site-B_PRI IKE" monitor optimized rekey Set vpn "Site-A_SEC-Site-B_PRI IKE" gateway "Site-A_SEC-Site-B_PRI" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" Set vpn "Site-A_PRI-Site-B_PRI IKE" id 0圆 bind interface tunnel.1 Set vpn "Site-A_PRI-Site-B_PRI IKE" monitor optimized rekey Set vpn "Site-A_PRI-Site-B_PRI IKE" gateway "Site-A_PRI-Site-B_PRI" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha" Set ike gateway "Site-A_SEC-Site-B_SEC" address 192.0.2.34 Main outgoing-interface "ethernet0/1" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha" Set ike gateway "Site-A_SEC-Site-B_PRI" address 192.0.2.18 Main outgoing-interface "ethernet0/1" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha" Set ike gateway "Site-A_PRI-Site-B_SEC" address 192.0.2.34 Main outgoing-interface "ethernet0/0" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha" Set ike gateway "Site-A_PRI-Site-B_PRI" address 192.0.2.18 Main outgoing-interface "ethernet0/0" preshare EnterYourPSKHere proposal "pre-g2-aes128-sha" This is done with a new Zone in the trust-vr and we will need four numbered tunnel interfaces on each firewall. Once you have the two firewalls setup with each Internet connection in its own virtual router we need to setup the VPNs. ![]() The first thing we need to do in order to implement this is to put each Internet connection into its own Virtual Router so they can run independently of each other.I have covered this in a recent blog post which you can read here. In this instance I decided to make use of OSPF to dynamically route the traffic depending on the availability of the VPNs at each site. With the Juniper SSG firewalls it is possible to use Policy Based VPNs to maintain multiple tunnels and have the firewalls switch between these as required however you end up with four policies on each firewall and you cannot tell from looking at a routing table where the traffic is flowing. Each site has a Juniper SSG5-SB firewall as well as a 10Mbit leased line primary Internet circuit and an ADSL backup. Having a Single Point of Failure (SPoF) on your network is never a desirable situation and recently I implemented a multi-site set-up where each site had two internet connections and there was a requirement to enable the satellite office to connect to the head office at all times. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |