VPN's using OSPF and ECMP between two sites



  • Hi!
    im planning to build a redundant VPN solution using four NS5GT with OSPF and ECMP over four routingbased VPN’s.
    there will also be vpn’s between NS1 & NS4 and also between NS2 & NS3 but i could’nt draw them….
    what do you guys think about this setup?

    OSPF AREA 0.0.0.0 ECMP over all firewalls

    SITE1##########SITE2

    NS1------ISP1---------NS3

    NS2------ISP2---------NS4


  • Engineer

    Ha,

    Don’t know if OSPF and ECMP will work together.

    but i would think if you have 2 ospf routes for backend network with same cost and ECMP is enable that he would do loadbalancing (round robin).

    But i never tested this. (maybe netscreen doesn’t support the combination of both)

    if i ever have some spare time (not  :-D) i would love to test/debug that.

    greetZ,
    Frac



  • Hello,

    We initially started with that approach, but came across some problems.  Currently, we have a single OSPF Area (0.0.0.0) in a mesh VPN, each firewall running has a Tun.1 routing via a primary ISP (also using NHTB).  Each site also has a second ISP, Tun.2 connecting to the same OSPF backbone via ISP 2.  IP tracking and VPN monitoring is running and the failover workds quite well.  Each site has either a 5GT or 25/50 Cluster.

    We would love to load balance the VPN traffic over both VPN’s using ECMP.  The only problem was we couldn’t get the routes to stick.  We even tried using Assymetric VPN setting int he Trust and VPN zones.  I was able to load balance with static routes though.  Anyone have this working?  Load Balancing VPN’s with OSPF?

    BTW, what does disable TCP-sync provide?

    Thanks

    Rgds,

    John


  • Engineer

    Ya you could do that. But keep in mind that some returnpackets could go over other vpn and so also other firewall.

    are those firewalls clusters? if so be sure to disable tcp-syn checking on the vpn zone.

    greetZ,
    Frac


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts