Routing & Return Traffic logic to avoid Asynchronus routing

2 Locations

1 Data-Center (Has Layer 3 switch stack)

1 Custom Site (Uses Juniper firewall with Layer 3 "virtual routers)

Each site has 1 VPN tunnel (terminating between firewalls at the respective sites)
Each site has 1 X MPLS router on each site

My client wants to use the VPN tunnel because the circuit terminating the VPN tunnel has much better performance than the MPLS circuit for their Applications the require very low latency

My question is how do we route traffic destined for the Data center via the IPsec VPN tunnel and ensure it arrives back over the IPsec VPN circuit and not return traffic over the MPLS instead.

What would be the simplest/cleanest method considering the same networks may be reachable from either the IPsec VPN or the MPLS network (we want to keep both networks so we dont have general traffic clogging up the faster IPsec tunnel

 I was thinking that the Layer 3 logic at the customer site could point traffic destined for the specific network over the IPsec VPN tunnel with a more specific route, what I need to figure out is how can I make sure traffic returns over the same hops rather than be routed out fo the Data-center MPLS network.  I assume a static route is preferred but once the customer sourced traffic hits the Data center subnet over the IPSec VPN tunnel where the desired servers/services lives where must the logic live in the destination subnet to return it back to the firewall

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

assuming that this traffic goes through the junipers on both sides, you'd only need to setup a policy route on each side.

if the traffic does not (ie the routes on the machines are setup so the firewall is not hit), you'd need to setup the same kind of policy routes on the machines or on one of the router along the way.

if policy routes cannot be set (ie you'd need them on the machines and they likely do not support them), you probably can setup a whole set of ips directly on the machines and route the corresponding traffic using regular routes over the VPN. produce a situation in which 10/8 for example is your current network, and 192.168/16 is an extra network that is routed over the VPN


a first side note would be that it is a little weird to expect good latency from a VPN


if you are using unices, you may also consider the reply(to feature builtin many of them which allows the host to use the original router for reply packets. this is trivial in BSDs and solaris using pf or ipf and the reply-to keyword, and more complex but feasible in linux. this solves efficiently the problems related to asynchronous routing in all situations.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.