VPN Suggestions

  • I am embarking on a moderate VPN project where the customer uses Juniper SSG series firewalls excluesivley. The client has a production site with 2 ISPs and a DR site with 2 ISPs. They also have various satellite sites with single ISP connections. I have mapped out a complete route based VPN solution using multiple Tunnels on each satellite site that route to each site and monotior the the secondary VPNs to each site using monitoring. While I have done this without issues in the past, I was wandering if anyone had any better solutions they may recommend vs a ton of routes and tunnel interfaces to maintain.

  • Yes they are. (Or at least will be).
    The primary site has a Metro E and a Cable connection. (DR site has the same). The metro connections are used for data replication and and the cable on each site are used for everything else. The Metros also provide local faiover for regular traffic and vice versa. We have a series of Source routes that push only replication traffic across the metro by default. Each Hub Location will have a primary and secondary VPN to each connection at both sites. So failover should be as follows.

    Hub Site to Primary site VPN 1 via Cable
    Hub Site to Primary Site VPN 2 via Metro
    Hub Site to DR VPN 1 via Cable
    Hub Site to DR VPN 2 via Cable

    There are currently Point to Point T1s at each Hub which will introduce a third layer of complexity until they go away next year.

    I guess the real issues is ensuring that the replication traffic always uses the metro E and that all other traffic Always uses the Cables unless of course there is a link failure or site failure. I would assume that I could setup Dynamic Routing and use my existing source routes which would have precedence??

  • Engineer

    It does in fact function. Are your failover concerns vpn-specific? issues of control are more commonly-encountered when contrasting commonly-deployed IGPs & EGPs.

  • Thanks for the response. As a Juniper partner I have had access to this for years and have failed to try it. I am going to install it today. I am sure our customer would be interested in buying it as well. Thanks for the advice.
    P.S. Has anyone used any dynamic routing across VPNs. I see that some documentations suggests it, but I am afraid of loosing the control I need for a very specific failover scenarios.

  • NSM (specifically, its VPN Manager) is perfect for this scenario.  It eases the administration of many VPN tunnels and can give you a snapshot of the status of all tunnels.