Go Premium for a chance to win a PS4. Enter to Win


Juniper SSG5 multiple vpn tunnels

Posted on 2013-05-21
Medium Priority
Last Modified: 2013-05-22
I have a juniper SSG5 that creates a VPN tunnel to our firewall at our parent location. as a contingency I would like to be able to reach a second location if the current parent location is demolished during a act of nature. we use a crypto key pair to connect the tunnel from SSG5 to firewall. What do you guys suggest is the easiest route to take to setup a dual connection as such?
Question by:AlfonsoPina
  • 2
  • 2
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 2000 total points
ID: 39185575
On the SSG5 you can create multiple VPN tunnels to multiple locations. Or you can use a hub/spoke topology to connect a single VPN tunnel to multiple locations. The juniper will then use Next hop tunnel binding (NHTB) to route traffic through the correct tunnel.

I use this setup to connect about 30 remote sites to 3 VPN tunnels in my office. I have 10 remote sites per VPN just so that I can organize them by region. I could just as easily connect 30 remote sites to 1 VPN tunnel.

Author Comment

ID: 39185611
well, that sounds like a good plan. I would want my juniper to point to my primary at all costs and then only if my primary location is wiped, connect to my backup (there is a significant reason for this.) I'll look at what you just said and try it.
LVL 18

Accepted Solution

Sanga Collins earned 2000 total points
ID: 39185671
That can be accomplished as well. At remote sites where I have primary & secondary ISP, what I do is take advantage of route metrics. This is basically creating 2 identical routes with different metric value. (the higher the metric, the lower the priority)

When route 1 becomes inactive due to VPN tunnel.1 going down. Route 2 with the higher metric then takes its place forcing traffic though VPN tunnel.2

When VPN tunnel.1 comes back online. Its route is reactivated. Since it has a lower metric route2 then becomes inactive.

Author Closing Comment

ID: 39189275
Ok, I have passed this data along to our firewall team. I think we are going to rock on!

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question