Re: [j-nsp] VPN over ADSL With 4G Backup
Appreciated your inputs. To make it bit more clear. We will have a non RFC1918 IP address at the hub and the spokes will get a dynamic IP from the provider through ADSl 2+. the spokes should have a 4G as backup for the ADSL2+. How the backup link should be configured. I assume at the hub st0.x multipoint will be configured. do you have any suggestions regarding the configurations. Thx On Fri, Jun 12, 2015 at 8:15 PM, Hugo Slabbert h...@slabnet.com wrote: On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji aji14...@gmail.com wrote: Need to connect 250 Outlets by using ADSL Over internet Static or DHCP at the outlets? At the Head end We have public address need to have 4G as backup. I can't parse this sentence. I get that you have a non-RFC1918 IP at the hub, by need to have 4G as backup do you mean that the hub site has/needs 4G backup or that the outlets/spokes will have/need 4G connections as backup to their primary ADSL connection? Which VPN technologies to be used We stick with routed IPSEC tunnels (stx.x). Scales better; simpler management of routing policy; and policy VPNs are just too opaque for my liking. That assumes that you have statics at the spokes, though, as doing routed ipsec tunnels with dynamic endpoints is a PITA. Please suggest the juniper device model at spokes and HUB. Probably best to talk to your SE. The suggestions below are just approximations based on some assumptions of your setup, and requisite grains of salt are suggested. Spokes: SRX100 or 110 for the spokes. I'm assuming since you said ADSL it's e.g. ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than higher rate VDSL2? An SRX100 can handle crypto stateful firewalling on that throughput without issue, so you don't have to step up to anything bigger like e.g. SRX210 or SRX240 unless you need GigE on the LAN or something. You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need to bring your own modem rather than the ADSL provider putting one in. Hub: Question of scale, really. Size for throughput and site count and throw in your oversubscription ratio of choice, then go from there. E.g. if you're doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak of ~3.7 Gbps. That said, I have my doubts about all of your sites simultaneously pinning their download, hence factoring in an oversub ratio. At-a-glance SRX range comparo: http://www.juniper.net/us/en/products-services/security/srx-series/compare/ For crypto on the hub site, you could pair that up with an SRX as well. For the throughput you're looking at, something like a larger branch (SRX550/650) would probably be fine. You're still looking at a software router in those, so just be aware that pinning the control plane can hit your forwarding unless you step up to something in the high end / DC SRX range (1400 or higher). Some people do MX's with encryption services PICs [1], which gets you a proper routing platform, but that's obviously a different price point. If you're doing backup connections of some sort, a fairly clean way to handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel interfaces (st) per site. If you mean 4G at the branch, the two tunnels would have different external-interface settings defined. If the 4G was at the head office (which would be interesting from a bandwidth perspective), there would be two different ike-gateway addresses defined, pointing at the two different H/O IPs. You'd then want to check for liveness across those two tunnels, so run a protocol with appropriate metrics defined for the crypto interfaces. Beware that if you don't do anything about it on the hub or spokes, asymmetric routing across the two different tunnels could cause you some grief as the SRX caches ingress/egress interfaces for flows and will by default drop traffic ingressing on diff interface than it expects (e.g. ADSL fails and traffic now comes in over the 4G tunnel). You may need to either disable tcp syn-check and sequence check to deal with that [2][3][4][5], forgo flow processing stateful firewalling and chuck everything coming in over the tunnels into selective packet mode, or separate routing from the IPSEC termination and use some tunneling to land traffic on a proper, external router. Does anyone uses this setup and have success. SRX or J Series suites this requirement? Yes. Thx No problem. -- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure redphone) [1] http://kb.juniper.net/InfoCenter/index?page=contentid=KB19733 [2] http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084 [3] http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html [4] http://kb.juniper.net/InfoCenter/index?page
[j-nsp] VPN over ADSL
Hi folks, Need to connect 250 Outlets by using ADSL Over internet , At the Head end We have public address need to have 4G as backup. Which VPN technologies to be used, Please suggest the juniper device model at spokes and HUB. Does anyone uses this setup and have success. SRX or J Series suites this requirement? Thx ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VPN over ADSL With 4G Backup
Need to connect 250 Outlets by using ADSL Over internet , At the Head end We have public address need to have 4G as backup. Which VPN technologies to be used, Please suggest the juniper device model at spokes and HUB. Does anyone uses this setup and have success. SRX or J Series suites this requirement? Thx ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Junos Space Spotlight Connector VM
Junos Spotlight connector supports in ESXi and ESX platforms only. What is the option for a customer environment with Microsoft Hyper-V as a virtualization platform. Is there any other free virtual platforms support Spotlight connector ? or Can I install this in Physical machine ? Unfortunately Many of our customers have Hyper-V as a virtual platform and we are unable to propose the Anti Malware Protection in SRX platforms as it requires Spotlight Secure Connector Other vendors have gone a way ahead on this , Also even if we buy the Junos Space Appliance ( Which is costly) still we need the VM for Spotlight Connector which is not a good idea in my opinion. Thanks Aji ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] User Role Firewall in SRX
Does the Juniper SRX with Latest version 12.1x47 Support User Firewall roles without using MAG. I wasn't able to see that in the release notes also in the feature explorer. Thank you all.. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX-SFP-10GE-USR : Tranceiver can be used with OM4 Cabling ?
Hi Team, Can we use the EX-SFP-10GE-USR tranceivers with OM4 cabling. it works out quite cheap as compared to EX-SFP-10GE-SR and in my case the distance below 100 meters. I am trying to propose this with EX4450 switches. Thanks in Advance ANC ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Srx 240 ipsec site to site
Yes the issue is dyn-dns support , does any one have working scripts and procedures for getting this work ? On Mon, May 13, 2013 at 10:22 AM, Nick Kritsky nick.krit...@gmail.comwrote: I guess you can achieve this functionality using event-scripts. Nick On Mon, May 13, 2013 at 10:30 AM, Klaus Groeger kla...@gmail.com wrote: Hi you may not resolve the issue with auto vpn, because the main problem is: both sites are assigned the IPs dynamically - via dhcp or whatever. If both sites do not know the peer's IP address, they cannot establish a tunnel. In ScreenOS, one has the option to use hostname instead of an IP address, the system makes a name lookup and connects to the resolved address. This isn't possible with SRX, because the hostname is resolved during configuration and the IP address will be naild down in the config. Even if you use aggressive mode, one site has to be a fixed IP address! Regards Klaus — Sent from Mailbox for iPhone On So., Mai 12, 2013 at 20:58, Misha Gzirishvili misha.gzirishv...@gmail.com=mailto:misha.gzirishv...@gmail.com; wrote: Hi Aji, Take a look at AutoVPN. Some links about it: ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX 240 Site to Site Vpn Question
I have a small customer requiring a VPN between two of the sites, One site is so remote where in we have only 3g internet connection available. other site which is considered to be the main site is having internet over an ADSL link . In essence both sides are getting dynamic IP address , can i have a site to site vpn in this situation ? Does SRX support dyndns feature ? can I use it for establishing site to site vpn ? if not what is the other option to suggest to customer ? Regards, Aji N C ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Srx 240 ipsec site to site
Dear Group, I have a small customer requiring a VPN between two of the sites, One site is so remote where in we have only 3g internet connection available. other site which is considered to be the main site is having internet over an ADSL link . In essence both sides are getting dynamic IP address , can i have a site to site vpn in this situation ? Does SRX support dyndns feature ? can I use it for establishing site to site vpn ? if not what is the other option to suggest to customer ? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Not logging the interface status logs
Is there a possibility of stopping interface status logs being sent to the syslog server. Like in cisco *no logging event link-status * * * I know we can match the strings and send the logs towards the syslog server. Can we match a string and donot send the log message that contains the string? Thanking you, Regards, Aji ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Not logging the interface status logs
Thanks for that shot .. is there a way we can do this globally ? Thx, Aji On Sun, Dec 23, 2012 at 12:09 PM, Kurt Bales kwba...@kwbales.net wrote: If you set no-traps at the IFD level you should be fine. On Sunday, December 23, 2012, Nc Aji wrote: Is there a possibility of stopping interface status logs being sent to the syslog server. Like in cisco *no logging event link-status * * * I know we can match the strings and send the logs towards the syslog server. Can we match a string and donot send the log message that contains the string? Thanking you, Regards, Aji ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp