{"id":272,"date":"2017-08-13T17:25:10","date_gmt":"2017-08-13T21:25:10","guid":{"rendered":"http:\/\/puluka.com\/home\/?p=272"},"modified":"2017-08-13T17:25:10","modified_gmt":"2017-08-13T21:25:10","slug":"screenos-dual-wan-with-ospf-on-two-sites","status":"publish","type":"post","link":"http:\/\/puluka.com\/home\/networking\/screenos\/screenos-dual-wan-with-ospf-on-two-sites\/","title":{"rendered":"ScreenOS \u2013 Dual WAN with OSPF on Two Sites"},"content":{"rendered":"

Product<\/strong>: ScreenOS
\nVersion<\/strong>: 6.0 and higher<\/p>\n

Network Topology<\/h2>\n

\"\"<\/a>
\nTwo sites that each have redundant internet connections. This establishes two VPN tunnels and uses OSPF to set routing priorities over the tunnels to use the primary line.<\/p>\n

Description:<\/h2>\n

Each site has two internet connections and interfaces that allow route based VPNs to exist at the same time. Using OSPF route priorities the primary line is in use unless this fails. When the first tunnel fails the second will automatically take over. On restoration of the first line route priorities automatically revert to the primary line.<\/p>\n

The process utilizes IPSEC VPN in route mode and OSPF.<\/p>\n

    \n
  1. Create OSPF settings on the trust virtual router<\/li>\n
  2. Assign the interfaces to the OSPF settings needed<\/li>\n
  3. Create the IPSEC VPN gateway and connection<\/li>\n<\/ol>\n

    Zone Layout<\/h3>\n

    untrust interface is ethernet0\/0
    \ntrust interface is bgroup0
    \ntunnel.1 interface is in trust zone<\/p>\n

    This zone layout puts all sites and tunnels into the same security zone.\u00a0 No policies need to be created on any device for full communications across the entire hub and spoke network.\u00a0 This is assuming that intra zone blocking is NOT enabled on any of the firewalls for the trust zone.\u00a0 This is the default behavior for the trust zone. You can change the zone of the tunnel interface to untrust and create policies as needed to allow traffic..<\/p>\n

    Configuration:<\/h2>\n

    1. Create OSPF Settings <\/strong><\/p>\n

    CLI
    \nSet vr trust router-id 10.0.1.1 **Change to match LAN ip address on site B
    \nset vr trust protocol ospf
    \nset vr trust protocol ospf enable
    \nset vr trust protocol ospf area 1 (** Change to area 2 on Site B)<\/p>\n

    Web
    \nNetwork \u2013 Virtual Routers \u2013 Trust-vr (select edit)
    \nSet router id and hit apply
    \nClick on \u201cCreate OSPF instance\u201d
    \nCheck enable OSPF on bottom (not distribute default route) and apply
    \nHit the Area Menu
    \nCreate Area 1 on site A and Area 2 on Site B<\/p>\n

    2. Assign OSPF settings to interfaces<\/strong><\/p>\n

    Setup the bgroup0 LAN interface<\/p>\n

    CLI
    \nset interface bgroup0 protocol ospf area 1 (**Change area 2 on site B)
    \nset interface bgroup0 protocol ospf enable<\/p>\n

    WEB
    \nNetwork \u2013 Interfaces \u2013 List
    \nSelect bgroup0 edit button
    \nSelect OSPF tab
    \nCheck Bind to Area 1 (**Change area 2 on site B)
    \nSelect Enable button
    \nRemove reduce flooding default
    \nApply<\/p>\n

    Create and setup the tunnel interfaces for the VPN<\/p>\n

    CLI
    \nset interface tunnel.1 zone Trust
    \nset interface tunnel.1 ip 10.0.0.2\/30 (** change ip address to 10.0.0.3 for site B)
    \nset interface tunnel.1 protocol ospf area 0.0.0.0
    \nset interface tunnel.1 protocol ospf enable
    \nset interface tunnel.2 zone Trust
    \nset interface tunnel.2 ip 10.0.0.5\/30 (**change ip address to 10.0.0.6 for site B)
    \nset interface tunnel.2 protocol ospf area 0.0.0.0
    \nset interface tunnel.2 protocol ospf enable
    \nset interface tunnel.2 protocol ospf cost 20<\/p>\n

    WEB
    \nCreate tunnel.1 and tunnel.2 with these parameters
    \nNetwork \u2013 Interfaces \u2013 List
    \nNew Tunnel IF in upper right
    \nTrust zone
    \nUnnumbered
    \nbgroup0 interface
    \nOSPF tab
    \nCheck Bind to Area 0
    \nCheck enable
    \nRemove demand circuit and reduce flooding
    \nSet as Point-to-point
    \nOn tunnel.2 raise the cost to 20<\/p>\n

    3. Create IPSEC VPN Gateways and connection <\/strong><\/p>\n

    Gateways to remote site. Create two on each firewall and be sure to change the outgoing interface to the correct one for the primary and backup connections.<\/p>\n

    CLI
    \nFirewall Site A
    \nset ike gateway SiteB1-GW address 2.2.2.2 Main outgoing-interface ethernet0\/0 preshare juniper sec-level standard
    \nset ike gateway SiteB2-GW address 4.4.4.4 Main outgoing-interface ethernet0\/1 preshare juniper sec-level standard<\/p>\n

    Firewall Site B
    \nset ike gateway SiteA1-GW address 1.1.1.1 Main outgoing-interface ethernet0\/0 preshare juniper sec-level standard
    \nset ike gateway SiteA2-GW address 3.3.3.3 Main outgoing-interface ethernet0\/1 preshare juniper sec-level standard<\/p>\n

    Firewall Site A<\/p>\n

    WEB
    \nVPNs \u2013 AutoKey Advanced \u2013 Gateway
    \nCreate new gateway
    \nName SiteB1-GW (**Change to SiteB2-GW for secondary)
    \nIP: 2.2.2.2 (**change to 4.4.4.4 for SiteB2-GW)
    \nAdvanced button
    \nPreshared key: juniper
    \nOutgoing interface ethernet0\/0 (Change to ethernet 0\/1 for SiteB2-GW)<\/p>\n

    Firewall Site B
    \nVPNs \u2013 AutoKey Advanced \u2013 Gateway
    \nCreate new gateway
    \nName SiteA1-GW (**Change to SiteA2-GW for secondary)
    \nIP: .1.1.1.1 (**change to 2.2.2.2 for SiteA2-GW)
    \nAdvanced button
    \nPreshared key: juniper
    \nOutgoing interface ethernet0\/0 (Change to ethernet 0\/1 for SiteA2-GW)
    \nCreate AutoKey IKE Objects<\/p>\n

    Firewall Site A<\/p>\n

    CLI
    \nset vpn SiteB1 gateway SiteB1-GW sec-level standard
    \nset vpn SiteB1 bind interface tunnel.1
    \nset vpn SiteB2 gateway SiteB2-GW sec-level standard
    \nset vpn SiteB2 bind interface tunnel.2<\/p>\n

    WEB
    \nVPNs \u2013 AutoKey IKE
    \nCreate New
    \nName SiteB1 (**change to SiteB2 for Secondary)
    \nAssociated gateway SiteB1-GW (**change to SiteB2-GW for Secondary)
    \nAdvanced button
    \nTunnel interface tunnel.1 (**change to tunnel.2 for secondary)<\/p>\n

    Firewall Site B<\/p>\n

    CLI
    \nset vpn SiteA1 gateway SiteA1-GW sec-level standard
    \nset vpn SiteA1 bind interface tunnel.1
    \nset vpn SiteA2 gateway SiteA2-GW sec-level standard
    \nset vpn SiteA2 bind interface tunnel.2<\/p>\n

    WEB
    \nVPNs \u2013 AutoKey IKE
    \nCreate New
    \nName SiteA1 (**change to SiteA2 for Secondary)
    \nAssociated gateway SiteA1-GW (**change to SiteA2-GW for Secondary)
    \nAdvanced button
    \nTunnel interface tunnel.1 (**change to tunnel.2 for secondary)<\/p>\n

    Verification:<\/h2>\n

    From Site B checking routes to Site A<\/strong><\/p>\n

    Testing from Site B
    \nUsing primary Connection
    \nCheck OSPF connection status
    \nVerify that both connections show the neighbor status<\/p>\n

    get vr trust protocol ospf neighbor<\/p>\n

    VR: trust-vr RouterId: 10.0.2.1
    \n———————————-
    \nNeighbor(s) on interface tunnel.2 (Area 0.0.0.0)
    \nIpAddr\/IfIndex RouterId Pri State Opt Up StateChg
    \n——————————————————————————
    \n10.0.0.5 10.0.1.1 1 Full E 00:09:47 (+6 -0)
    \nNeighbor(s) on interface tunnel.1 (Area 0.0.0.0)
    \nIpAddr\/IfIndex RouterId Pri State Opt Up StateChg
    \n——————————————————————————
    \n10.0.0.2 10.0.1.1 1 Full E 00:01:33 (+6 -0)
    \nNeighbor(s) on interface bgroup0 (Area 0.0.0.2)<\/p>\n

    get route protocol ospf<\/p>\n

    IPv4 Dest-Routes for <trust-vr> (15 entries)
    \n————————————————————————————–
    \nID IP-Prefix Interface Gateway P Pref Mtr Vsys
    \n————————————————————————————–
    \n* 41 10.0.1.0\/24 tun.1 10.0.0.2 O 60 11 Root
    \nTotal number of ospf routes: 1<\/p>\n

    During failover<\/strong><\/p>\n

    get route protocol ospf<\/p>\n

    ————————————————————————————–
    \nID IP-Prefix Interface Gateway P Pref Mtr Vsys
    \n————————————————————————————–
    \n* 39 10.0.1.0\/24 tun.2 10.0.0.5 O 60 21 Root
    \nTotal number of ospf routes: 1<\/p>\n

     <\/p>\n

    WEB
    \nNetwork \u2013 Routing – Destination.<\/p>\n

    References:<\/h2>\n

    ScreenOS Concepts and Examples Guide<\/strong>
    \n    http:\/\/www.juniper.net\/techpubs\/software\/screenos\/screenos6.2.0\/index.html<\/a><\/p>\n

    Route based VPN tunnels<\/h3>\n

    Concepts & Examples Guide
    \nVolume 5 Virtual Private Networks
    \nChapter 3 VPN Guidelines
    \nChapter 4 VPN: Sit-to-site VPN Configurations<\/p>\n

    OSPF<\/h3>\n

    Concepts & Examples Guide
    \nVolume 7 Routing
    \nChapter 3<\/p>\n

    Originally Posted June 04, 2011
    \nLast Revised on June 04, 2011<\/p>\n","protected":false},"excerpt":{"rendered":"

    Product: ScreenOS Version: 6.0 and higher Network Topology Two sites that each have redundant internet connections. This establishes two VPN tunnels and uses OSPF to set routing priorities over the tunnels to use the primary […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-272","post","type-post","status-publish","format-standard","hentry","category-screenos"],"_links":{"self":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/comments?post=272"}],"version-history":[{"count":1,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":274,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/posts\/272\/revisions\/274"}],"wp:attachment":[{"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/media?parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/categories?post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/puluka.com\/home\/wp-json\/wp\/v2\/tags?post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}