Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Juniper VPN with one site having 2 internet connections

Posted on 2009-04-09
Medium Priority
Last Modified: 2012-05-06
I am having an issue with my 2 juniper routers that i am attempting to build a vpn between.... it gets interisting in the fact that the Main site has 2 untrust networks. and the current config has worked great up until now... we have a T1 and a DSL connection coming into the main site. email and some other services come into the T1 and general browsing goes out the DSL connection. i have preference and metric set on the destination routes as you will see in the config files. here is the issue i am having, i am trying to build the VPN from the remote site into the T1 however it has a lower metric and preference than the DSL connection. i need to know how to correct what i am almost certain i setup incorrectly in the first place when i put this junipter in place. I want to thank you in advance.
Question by:kn1564
  • 3
  • 2
LVL 18

Expert Comment

ID: 24114655

Ok, from the main config we see the routes as follows:

set route interface ethernet0/0 gateway preference 20
set route interface ethernet0/1 gateway preference 30 metric 2 permanent
set route interface tunnel.1
set route source interface ethernet0/1 gateway preference 20 permanent

To me, this looks like you have 2 default routes configured, with the main route to be used is for and a scindary preferred route of  If I understand you correct, we have the T1 on and DSL on  Is that right?

SO, form what I can see, the top 3 routes are fine (including the route based VPN on the 3rd line).  This leaves the 4th line, the source route which may be causing the issue here.

I take it when you try to establish the VPN, you are trying it from host  Or are there any other hosts for this VPN?

If it is just thta host, then it is unlikely the VN will come up, as the route above, tries to send all traffic from that host out the DSL line, which has a different IP address from the 1.  This iwll result in VPN negotiations hitting the remote firewall from an unknown IP address, namely  This may result in the VPN failing to come up.

To confirm this, try the following:

1.  Clear event logs on each firewall (please back up before you do this
      clear event
2.  In current config, try to set up the VPN, ie send traffic across it
3.  When you think the VPN has failed, on each firewall run the following comand and save the output (perhaps redirect to a TFTP host if you can, saves time)
   get event type 536
4.  Remove the source route from the firewall, ie
   unset route source interface ethernet0/1 gateway
5.  Try again to bring up the vpn and again collect the logs as above on each firewall.

Basically the routes you have here are sending all traffic from out through the DSL interface.

If all you want to send out the DSL interface is HTTP traffic, then policy based routing (PBR) is your freind here.

See the attached guide to assist.  The guide is for Screenos 6.2, but the other version to relate to your particular install are avail on www.juniper.net/techpubs

Author Comment

ID: 24115678
thank you for the responce. is the DSL and i can establish the AutoIKE VPN perfectly is the T1 and the VPN will not pass phase 1.   the Source route on is nothing to worry about it is simply a mail server. if i have in there i am unable to establish a vpn between and which is a site to site AutoIKE
LVL 18

Accepted Solution

deimark earned 2000 total points
ID: 24115822
So, so that I fully understand this: is the T1 interface on main fw is the DSl interface on the main fw is the untrust interface on the remote fw

On main FW, the default route is being sent out the T1 interface, not the DSL

You are trying to bring up a VPN between the remote FW and the DSL interface on the main FW.

Is that right?

If so, run the following commands on the main firewall

get route ip
to see where the packets for your remote firewall are going.  I would suspect that they are going out via the T1, which has a diff IP, and thus the VPN is being dropped.

If the traffic is indeed going out the T1, we need to add a route to send the traffic to the remote FW out through the DSL, ie

set route interface ethernet0/1 gateway

This should then send the traffic to the remote FW out the DSL interface.

As above, the get event type 536 will show us more specific VPN logs

Author Comment

ID: 24117022
you my friend are a hero..... i set the route and it came right up.... YIPPY... ty *Happy Dance*

Author Closing Comment

ID: 31568828
Thsi worked perfrect... very knowledgeable person

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question