Juniper VPN with one site having 2 internet connections
I am having an issue with my 2 juniper routers that i am attempting to build a vpn between.... it gets interisting in the fact that the Main site has 2 untrust networks. and the current config has worked great up until now... we have a T1 and a DSL connection coming into the main site. email and some other services come into the T1 and general browsing goes out the DSL connection. i have preference and metric set on the destination routes as you will see in the config files. here is the issue i am having, i am trying to build the VPN from the remote site into the T1 however it has a lower metric and preference than the DSL connection. i need to know how to correct what i am almost certain i setup incorrectly in the first place when i put this junipter in place. I want to thank you in advance.
Main-Clean.txt
Remote-Clean.txt
Main-Clean.txt
Remote-Clean.txt
ASKER
thank you for the responce. 1.1.1.5 is the DSL and i can establish the AutoIKE VPN perfectly 2.2.2.5 is the T1 and the VPN will not pass phase 1. the Source route on 192.168.10.8 is nothing to worry about it is simply a mail server. if i have 1.1.1.5 in there i am unable to establish a vpn between 2.2.2.1 and 3.3.3.1 which is a site to site AutoIKE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you my friend are a hero..... i set the route and it came right up.... YIPPY... ty *Happy Dance*
ASKER
Thsi worked perfrect... very knowledgeable person
Ok, from the main config we see the routes as follows:
set route 0.0.0.0/0 interface ethernet0/0 gateway 1.1.1.5 preference 20
set route 0.0.0.0/0 interface ethernet0/1 gateway 2.2.2.5 preference 30 metric 2 permanent
set route 192.168.11.0/24 interface tunnel.1
set route source 192.168.10.8/32 interface ethernet0/1 gateway 2.2.2.4 preference 20 permanent
To me, this looks like you have 2 default routes configured, with the main route to be used is for 1.1.1.5 and a scindary preferred route of 2.2.2.5. If I understand you correct, we have the T1 on 1.1.1.1 and DSL on 2.2.2.2. Is that right?
SO, form what I can see, the top 3 routes are fine (including the route based VPN on the 3rd line). This leaves the 4th line, the source route which may be causing the issue here.
I take it when you try to establish the VPN, you are trying it from host 192.168.10.8/32? Or are there any other hosts for this VPN?
If it is just thta host, then it is unlikely the VN will come up, as the route above, tries to send all traffic from that host out the DSL line, which has a different IP address from the 1. This iwll result in VPN negotiations hitting the remote firewall from an unknown IP address, namely 2.2.2.2. This may result in the VPN failing to come up.
To confirm this, try the following:
1. Clear event logs on each firewall (please back up before you do this
clear event
2. In current config, try to set up the VPN, ie send traffic across it
3. When you think the VPN has failed, on each firewall run the following comand and save the output (perhaps redirect to a TFTP host if you can, saves time)
get event type 536
4. Remove the source route from the firewall, ie
unset route source 192.168.10.8/32 interface ethernet0/1 gateway 2.2.2.4
5. Try again to bring up the vpn and again collect the logs as above on each firewall.
Basically the routes you have here are sending all traffic from 192.168.10.8/32 out through the DSL interface.
If all you want to send out the DSL interface is HTTP traffic, then policy based routing (PBR) is your freind here.
See the attached guide to assist. The guide is for Screenos 6.2, but the other version to relate to your particular install are avail on www.juniper.net/techpubs
routing-info-screenos.pdf