• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 335
  • Last Modified:

Routing & Return Traffic logic to avoid Asynchronus routing

2 Locations

1 Data-Center (Has Layer 3 switch stack)

1 Custom Site (Uses Juniper firewall with Layer 3 "virtual routers)

Each site has 1 VPN tunnel (terminating between firewalls at the respective sites)
Each site has 1 X MPLS router on each site

My client wants to use the VPN tunnel because the circuit terminating the VPN tunnel has much better performance than the MPLS circuit for their Applications the require very low latency

My question is how do we route traffic destined for the Data center via the IPsec VPN tunnel and ensure it arrives back over the IPsec VPN circuit and not return traffic over the MPLS instead.

What would be the simplest/cleanest method considering the same networks may be reachable from either the IPsec VPN or the MPLS network (we want to keep both networks so we dont have general traffic clogging up the faster IPsec tunnel

 I was thinking that the Layer 3 logic at the customer site could point traffic destined for the specific network over the IPsec VPN tunnel with a more specific route, what I need to figure out is how can I make sure traffic returns over the same hops rather than be routed out fo the Data-center MPLS network.  I assume a static route is preferred but once the customer sourced traffic hits the Data center subnet over the IPSec VPN tunnel where the desired servers/services lives where must the logic live in the destination subnet to return it back to the firewall

1 Solution
assuming that this traffic goes through the junipers on both sides, you'd only need to setup a policy route on each side.

if the traffic does not (ie the routes on the machines are setup so the firewall is not hit), you'd need to setup the same kind of policy routes on the machines or on one of the router along the way.

if policy routes cannot be set (ie you'd need them on the machines and they likely do not support them), you probably can setup a whole set of ips directly on the machines and route the corresponding traffic using regular routes over the VPN. produce a situation in which 10/8 for example is your current network, and 192.168/16 is an extra network that is routed over the VPN


a first side note would be that it is a little weird to expect good latency from a VPN


if you are using unices, you may also consider the reply(to feature builtin many of them which allows the host to use the original router for reply packets. this is trivial in BSDs and solaris using pf or ipf and the reply-to keyword, and more complex but feasible in linux. this solves efficiently the problems related to asynchronous routing in all situations.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now