{"id":269,"date":"2017-08-13T17:22:15","date_gmt":"2017-08-13T21:22:15","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=269"},"modified":"2017-08-13T17:22:15","modified_gmt":"2017-08-13T21:22:15","slug":"screenos-redundant-internet-connections-on-a-policy-vpn","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/screenos-redundant-internet-connections-on-a-policy-vpn\/","title":{"rendered":"ScreenOS \u2013 Redundant Internet Connections on a Policy VPN"},"content":{"rendered":"

Product<\/strong>: ScreenOS
\nVersion<\/strong>: 6.0 and higher<\/p>\n

Network Topology<\/h2>\n

\"\"<\/a><\/p>\n

Two sites connected by VPN with one site having two internet access connections. They connect using policy based VPN.<\/p>\n

Description:<\/h2>\n

This configuration has a redundant internet link on one side of a policy based vpn connection.\u00a0 The creation of two gateways and a group allows for failover between the two links and setting one as the priority link.<\/p>\n

    \n
  1. Create a VPN Group<\/li>\n
  2. Configure two gateways, one for each outbound interface<\/li>\n
  3. Configure an AutoKey IKE for each of the gateways and select the VPN group designating the primary connection with the higher priority number.<\/li>\n
  4. Configure the Policy using the VPN tunnel option and associate this with the VPN group<\/li>\n<\/ol>\n

    Configuration:<\/h2>\n

    1. Create VPN Group: <\/strong><\/p>\n

    This allows the two circuits connections to be treated as a single device to the VPN tunnel policy.<\/p>\n

    CLI
    \nset vpn-group id 1<\/p>\n

    Web
    \nVPNs \u2013 AutoKey Advanced \u2013 VPN Groups
    \nNew<\/p>\n

    2. Configure two Gateways<\/strong><\/p>\n

    Create a gateway for each of the two outbound interfaces<\/p>\n

    CLI
    \nset ike gateway Primary-GW address 2.2.2.2 Main outgoing-interface “ethernet0\/0” preshare Juniper== sec-level standard
    \nset ike gateway Backup-GW address 2.2.2.2 Main outgoing-interface “ethernet0\/1” preshare Juniper== sec-level standard<\/p>\n

    Web
    \nVPNs \u2013 AutoKey Advanced \u2013 Gateway
    \nNew and select the correct interface for each on the advanced page<\/p>\n

    3. Configure AutoKey IKE<\/strong><\/p>\n

    Create IPSEC object on each gateway and place into group<\/p>\n

    CLI
    \nset vpn RemotePrimary gateway Primary-GW no-replay tunnel idletime 0 sec-level standard
    \nset vpn-group id 1 vpn RemotePrimary weight 10
    \nset vpn RemoteSecondary gateway Primary-GW no-replay tunnel idletime 0 sec-level standard
    \nset vpn-group id 1 vpn RemoteSecondary weight 1<\/p>\n

    Web
    \nVPNs \u2013 AutoKey IKE
    \nNew select the correct gateway on the opening page
    \nselect the group on the advanced tab and set priority (higher is Primary)<\/p>\n

    4. Configure Policy Tunnel<\/strong><\/p>\n

    The tunnel will associate with the group and can use either circuit connection but will prefer the higher priority one first.<\/p>\n

    CLI
    \nset address Trust LocalLAN 10.0.1.0 255.255.255.0
    \nset address Untrust RemoteLAN 10.0.2.0 255.255.255.0
    \nset policy name RemoteVPN from Untrust to Trust LocalLAN ClinicLAN ANY tunnel vpn-group 1
    \nset policy name RemoteVPN from Trust to Untrust LocalLAN RemoteLAN ANY tunnel vpn-group 1<\/p>\n

    Web
    \nPolicies \u2013 Policy Objects \u2013 Addresses \u2013 List
    \nCreate Remote LAN address in Untrust zone
    \nCreate Local LAN address in trust zone
    \nPolicies \u2013 Policy
    \nCreate trust to untrust policy and check the box to create a matching policy
    \nSelect tunnel and select the VPN group<\/p>\n

    Verification:<\/h2>\n

    Confirm SA is up<\/p>\n

    CLI
    \nget sa
    \nWeb
    \nVPNs \u2013 Monitor Status<\/p>\n

    Disconnect the primary ethernet cable and confirm the failover occurs<\/p>\n

    References:<\/h2>\n

    ScreenOS Concepts and Examples Guide<\/strong>
    \n    http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a><\/p>\n

    Route based VPN tunnels<\/h3>\n

    Concepts & Examples Guide
    \nVolume 5 Virtual Private Networks
    \nChapter 3 VPN Guidelines
    \nChapter 4 VPN: Sit-to-site VPN Configurations<\/p>\n

    Originally Posted June 04, 2011
    \nLast Revised on June 04, 2011     <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Product: ScreenOS Version: 6.0 and higher Network Topology Two sites connected by VPN with one site having two internet access connections. They connect using policy based VPN. Description: This configuration has a redundant internet link […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-269","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=269"}],"version-history":[{"count":2,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/269\/revisions"}],"predecessor-version":[{"id":1258,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/269\/revisions\/1258"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=269"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}