VPN's using OSPF and ECMP between two sites
whoppi last edited by
im planning to build a redundant VPN solution using four NS5GT with OSPF and ECMP over four routingbased VPN’s.
there will also be vpn’s between NS1 & NS4 and also between NS2 & NS3 but i could’nt draw them….
what do you guys think about this setup?
OSPF AREA 0.0.0.0 ECMP over all firewalls
Don’t know if OSPF and ECMP will work together.
but i would think if you have 2 ospf routes for backend network with same cost and ECMP is enable that he would do loadbalancing (round robin).
But i never tested this. (maybe netscreen doesn’t support the combination of both)
if i ever have some spare time (not :-D) i would love to test/debug that.
Packet7 last edited by
We initially started with that approach, but came across some problems. Currently, we have a single OSPF Area (0.0.0.0) in a mesh VPN, each firewall running has a Tun.1 routing via a primary ISP (also using NHTB). Each site also has a second ISP, Tun.2 connecting to the same OSPF backbone via ISP 2. IP tracking and VPN monitoring is running and the failover workds quite well. Each site has either a 5GT or 25/50 Cluster.
We would love to load balance the VPN traffic over both VPN’s using ECMP. The only problem was we couldn’t get the routes to stick. We even tried using Assymetric VPN setting int he Trust and VPN zones. I was able to load balance with static routes though. Anyone have this working? Load Balancing VPN’s with OSPF?
BTW, what does disable TCP-sync provide?
Ya you could do that. But keep in mind that some returnpackets could go over other vpn and so also other firewall.
are those firewalls clusters? if so be sure to disable tcp-syn checking on the vpn zone.