NOTE: The monitor feature sends packets to the track server based on the interval specified. NOTE: In case you are new to the track feature, here is a link to an article from the J-Net community explaining what the configurable options are when using the track feature: Add 2-3 public IP addresses to test network connectivity. On the primary interface, choose the monitor link, and then click the ADD link. To configure automatic failover to the backup VPN connection, we will use the tracking feature of the SSG. In this example I am sending all traffic 0.0.0.0 to tunnel.2 with a higher preference then the primary tunnel.1. NOTE: In my environment I am using the network for the primary tunnel and the network for the backup tunnel.Ĭreate a backup route for traffic over the VPN tunnel. Select Fixed IP and enter in a tunnel network IP for the remote office firewall. Predefined: Choose the gateway created in step 3.Ī backup tunnel is needed on both the central office and remote office firewall to carry traffic over the backup VPN. VPN Name: You can use any name you want, for me I chose the same name as the existing VPN name with an ISP2 attached to the end. Step 4: Navigate to VPNs and click “AutoKey IKE”. This setting will also need to be the same at the central office and remote office firewalls.
You can choose this as well or whatever you prefer. NOTE: For security level I chose pre-g2-aes128-sha. NOTE: This key should be the same on the central office and remote office firewalls. NOTE: If the central office firewall has only one ISP, this IP can be the same as the primary gateway to the central office. Static IP Address: IP address of the central office firewall’s backup line. Gateway Name: Any name you want, I chose to use my central office firewall’s name and an ISP2 designation.
#Ssg vpn monitor how to#
NOTE: If you are not familiar with configuring IKE VPNs on Juniper devices, here is a good link from Juniper’s on-line help explaining how to set one up: Logon to the web interface and navigate to VPN, AutoKey Advanced and click “gateway”. The following steps assume you already have a working VPN tunnel between your central office and remote office firewalls. Here are the steps I performed on the remote office’s firewall. This solution also includes failback, when the primary ISP senses a connection reestablishment, the VPN tunnel moves back to the primary ISP. In the event the primary Internet connection senses a loss in connectivity, the VPN from the remote office will switch to the backup ISP and reestablish a VPN connection to the central office. We are setting the primary Internet connection to monitor its network connectivity with regards to uptime. In this configuration we are using a T-1 for the primary Internet connection and a cable ISP for the backup connection. My goal was to find a basic and affordable way to achieve an automatic VPN failover in the event the office’s primary ISP went down. For my small sales and services office, advanced backup services don’t make financial sense. The office I work at provides network services to all our locations in the western hemisphere, so advanced backup services like BGP make financial sense. I was faced with a challenge to setup a backup VPN connection over Juniper SSG hardware for one of my remote sales and service offices. How can you prepare for failover? Backup Internet and VPN connections can be constructed in different ways, some very basic and some very elaborate. If a primary Internet connection travels over a fiber optic line, a cable company or copper phone company’s network could be used as a backup line. To try and achieve 100% up time, businesses can acquire Internet services over different mediums. Today, not only are Internet connections much more reliable, there are more mediums for signals to travel over. Lost revenue adds up quickly when business slows down or comes to a halt.
Some business transactions can’t execute without a connection to another office or the outside world. One could make the argument that we really don’t need either to survive, although, I am sure most of us think we do.įor businesses, Internet access has become an essential part of their daily operations. Internet access has become so important to us in our daily lives you could almost draw a parallel between it and electricity. Think about how many pieces along this giant network could go wrong, but hardly ever do. For a minute, think about how often you use Internet services in your daily life. Today most Internet connections are very reliable. JUNIPER SSG VPN BACKUP: PRIMARY ISP NOT SO GOOD?
0 kommentar(er)
