VPN Lab: Difference between revisions

← Older edit

VPN Lab (view source)

Revision as of 17:57, 18 December 2019

2,788 bytes added , 4 years ago

→‎Primary and Backup VPN

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 08:44, 12 August 2015 (view source) m>Amandeep (→‎Site to Site VPN: SRX Site to Site VPN)		Latest revision as of 17:57, 18 December 2019 (view source) Amanjosan2008 (talk \| contribs) (→‎Primary and Backup VPN)
(5 intermediate revisions by the same user not shown)
Line 57: ==SRX Site to Site VPN== [~~http://network.mwzip.com/wiki/~~[SRX_Route_based_VPN \|Route based VPN]] [~~http://network.mwzip.com/wiki/~~[SRX_Policy_based_VPN \|Policy based VPN]] <br /> Line 426: == Redundant VPN == Source: [https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-ipsecvpn/Redundant_VPN_Config/Configuration_Overview.htm help.fortinet.com] ~~{{UC}}~~ ;General configuration steps A redundant configuration at each VPN peer includes: One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example. One Phase 2 definition for each Phase 1 configuration. One static route for each IPsec interface, with different distance values to prioritize the routes. Two Accept security policies per IPsec interface, one for each direction of traffic. Dead peer detection enabled in each Phase 1 definition. The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer. ;Configuring the VPN peers - route-based VPN VPN peers are configured using Interface Mode for redundant tunnels. Configure each VPN peer as follows: Ensure that the interfaces used in the VPN have static IP addresses. Create a Phase 1 configuration for each of the paths between the peers. Enable dead peer detection so that one of the other paths is activated if this path fails. == Primary and Backup VPN == Source: [https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227&actp=METADATA kb.juniper.net] ;Steps for configuring Primary and Backup VPN with Route Failover using IP-Monitoring: If the primary tunnel fails, then the traffic flows through the backup tunnel. Route fail over is achieved using IP-Monitoring. To achieve redundancy between two route based VPN tunnels, a numbered tunnel interface must be configured. ;Solution: Configure two route-based VPN tunnels (primary and backup) between two SRX devices. Configure ISP2 in a virtual routing-instance, RPM probe with target address as ISP1 address (1.1.1.2) and destination-interface as primary VPN's external interface. Configure IP-monitoring and match the RPM probe that you have configured earlier, then preferred route with route address as the PC2 address with next-hop as the ip-address of the back-up tunnel on SRX2. In this case, it is ip-address on st0.1 on SRX2. Configure the same on SRX2. When configuring IP-Monitoring on SRX2, configure next-hop as the ip-address of the back-up tunnel on SRX1. In this case it is the ip-address on st0.1 on SRX1. \|-----------------[ISP1]---------------\| \| \| [PC1]----------[FW1] [FW2]------------[PC2] \| \| \|-----------------[ISP2]---------------\| == Overlapping Subnet VPN <ref>www.bt.com/india</ref>==