Juniper SSG5 multiple vpn tunnels

Posted on 2013-05-21
Last Modified: 2013-05-22
I have a juniper SSG5 that creates a VPN tunnel to our firewall at our parent location. as a contingency I would like to be able to reach a second location if the current parent location is demolished during a act of nature. we use a crypto key pair to connect the tunnel from SSG5 to firewall. What do you guys suggest is the easiest route to take to setup a dual connection as such?
Question by:AlfonsoPina
  • 2
  • 2
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 500 total points
ID: 39185575
On the SSG5 you can create multiple VPN tunnels to multiple locations. Or you can use a hub/spoke topology to connect a single VPN tunnel to multiple locations. The juniper will then use Next hop tunnel binding (NHTB) to route traffic through the correct tunnel.

I use this setup to connect about 30 remote sites to 3 VPN tunnels in my office. I have 10 remote sites per VPN just so that I can organize them by region. I could just as easily connect 30 remote sites to 1 VPN tunnel.

Author Comment

ID: 39185611
well, that sounds like a good plan. I would want my juniper to point to my primary at all costs and then only if my primary location is wiped, connect to my backup (there is a significant reason for this.) I'll look at what you just said and try it.
LVL 18

Accepted Solution

Sanga Collins earned 500 total points
ID: 39185671
That can be accomplished as well. At remote sites where I have primary & secondary ISP, what I do is take advantage of route metrics. This is basically creating 2 identical routes with different metric value. (the higher the metric, the lower the priority)

When route 1 becomes inactive due to VPN tunnel.1 going down. Route 2 with the higher metric then takes its place forcing traffic though VPN tunnel.2

When VPN tunnel.1 comes back online. Its route is reactivated. Since it has a lower metric route2 then becomes inactive.

Author Closing Comment

ID: 39189275
Ok, I have passed this data along to our firewall team. I think we are going to rock on!

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question