VPN Lab: Difference between revisions
→Primary and Backup VPN
| (One intermediate revision by the same user not shown) | |||
Line 426:
== Redundant VPN ==
Source: [https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-ipsecvpn/Redundant_VPN_Config/Configuration_Overview.htm help.fortinet.com]
;General configuration steps
Line 445 ⟶ 446:
Create a Phase 1 configuration for each of the paths between the peers.
Enable dead peer detection so that one of the other paths is activated if this path fails.
== Primary and Backup VPN ==
Source: [https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227&actp=METADATA kb.juniper.net]
;Steps for configuring Primary and Backup VPN with Route Failover using IP-Monitoring:
If the primary tunnel fails, then the traffic flows through the backup tunnel.
Route fail over is achieved using IP-Monitoring.
To achieve redundancy between two route based VPN tunnels, a numbered tunnel interface must be configured.
;Solution:
Configure two route-based VPN tunnels (primary and backup) between two SRX devices.
Configure ISP2 in a virtual routing-instance, RPM probe with target address as ISP1 address (1.1.1.2) and destination-interface as primary VPN's external interface.
Configure IP-monitoring and match the RPM probe that you have configured earlier, then preferred route with route address as the PC2 address with next-hop as the ip-address of the back-up tunnel on SRX2. In this case, it is ip-address on st0.1 on SRX2. Configure the same on SRX2.
When configuring IP-Monitoring on SRX2, configure next-hop as the ip-address of the back-up tunnel on SRX1. In this case it is the ip-address on st0.1 on SRX1.
|-----------------[ISP1]---------------|
| |
[PC1]----------[FW1] [FW2]------------[PC2]
| |
|-----------------[ISP2]---------------|
== Overlapping Subnet VPN <ref>www.bt.com/india</ref>==
| |||