Re: [j-nsp] VPN over ADSL With 4G Backup
Sorry for the long delay in replies. We will have a non RFC1918 IP address at the hub and the spokes will get a dynamic IP from the provider through ADSl 2+. I haven't had to deal with dynamic IPs on SRX ipsec tunnel endpoints as I've been fortunate that we can maintain enough control of the links to require statics. That said, I *believe* this should just change your IKE gateway configs on the hub to reference a dynamic gateway for each customer site rather than using a static destination gateway IP, e.g.: security { ike { gateway spoke1 { ike-policy spoke1-policy; dynamic hostname spoke1.example.org; external-interface ike-ext-interface; } } } Be sure to use aggressive mode in your IKE policy. the spokes should have a 4G as backup for the ADSL2+. How the backup link should be configured. I assume at the hub st0.x multipoint will be configured. There are a few different ways to slice it. Multipoint at the hub is one option. I haven't run a multiple routed IPSEC setup on Junos, so I'm extrapolating a bit here and hopefully somebody will tell me I'm being an idiot if I veer to far off course. If you're doing backup links, running a protocol, I would set up 2x multipoint VPN interfaces at the hub, banked off of different IPs (could be the same external interface with multiple IPs bound; use local-address a.b.c.d and local-identity inet a.b.c.d under the IKE gateway definitions on the hub to distinguish the two). Point the primary link from the branches to the first multipoint st0.x interface at the hub, and the secondary branch links at the second multipoint st0.x interface at the hub. Set your protocol interface metrics/costs so that the second multipoint st0.x at the hub has a higher cost. If you were to use just one multipoint st0.x at the hub, the hub would not have a way to distinguish route preferences between the primary and secondary links. In terms of backup paths / failover: Will you route *all* spoke site traffic through the hub? Or just inter-site traffic, with e.g. regular public internet traffic going out the spoke's local provider's gateway? If the former: Create static /32 routes for the hub's IKE gateway IPs for the primary and secondary st0.x multipoint interfaces there (I'll just call them st0.0 (primary) and st0.1 (secondary) from here on). The /32 route for st0.0's IKE gateway IP should go via your default gateway on the ADSL interface, with /32 route for st0.1's IKE gateway IP via the HSPA backup default gateway. Actually; given that we're talking about DHCP on the ADSL, consider putting the ADSL and HSPA interfaces in their own discrete virtual-router routing-instances so that the 0/0 route picked up from DHCP on the ADSL gets installed in that VR, and the static 0/0 route for the HSPA can be isolated into its own VR. Failover between primary and secondary are then handled by whatever protocol you run within the st0.x tunnels. If the latter (VPN tunnels for inter-site traffic only; public internet traffic egress locally at the branches), you'll still want static routes config'd on the branches for the 2x different IKE gateway IPs on the hub, but now you also need to handle failover locally. My guess is your best bet for that would be RPM to monitor connectivity across your ADSL connection and pull that route in case of RPM failure. I haven't done that either on a DHCP setup, so YMMV on the details of that implementation. Hope that helps; I'd be curious to hear how this turns out. -- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure redphone) On Sat 2015-Jun-13 11:39:11 +0300, Nc Aji aji14...@gmail.com wrote: Appreciated your inputs. To make it bit more clear. We will have a non RFC1918 IP address at the hub and the spokes will get a dynamic IP from the provider through ADSl 2+. the spokes should have a 4G as backup for the ADSL2+. How the backup link should be configured. I assume at the hub st0.x multipoint will be configured. do you have any suggestions regarding the configurations. Thx signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] VPN over ADSL With 4G Backup
Appreciated your inputs. To make it bit more clear. We will have a non RFC1918 IP address at the hub and the spokes will get a dynamic IP from the provider through ADSl 2+. the spokes should have a 4G as backup for the ADSL2+. How the backup link should be configured. I assume at the hub st0.x multipoint will be configured. do you have any suggestions regarding the configurations. Thx On Fri, Jun 12, 2015 at 8:15 PM, Hugo Slabbert h...@slabnet.com wrote: On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji aji14...@gmail.com wrote: Need to connect 250 Outlets by using ADSL Over internet Static or DHCP at the outlets? At the Head end We have public address need to have 4G as backup. I can't parse this sentence. I get that you have a non-RFC1918 IP at the hub, by need to have 4G as backup do you mean that the hub site has/needs 4G backup or that the outlets/spokes will have/need 4G connections as backup to their primary ADSL connection? Which VPN technologies to be used We stick with routed IPSEC tunnels (stx.x). Scales better; simpler management of routing policy; and policy VPNs are just too opaque for my liking. That assumes that you have statics at the spokes, though, as doing routed ipsec tunnels with dynamic endpoints is a PITA. Please suggest the juniper device model at spokes and HUB. Probably best to talk to your SE. The suggestions below are just approximations based on some assumptions of your setup, and requisite grains of salt are suggested. Spokes: SRX100 or 110 for the spokes. I'm assuming since you said ADSL it's e.g. ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than higher rate VDSL2? An SRX100 can handle crypto stateful firewalling on that throughput without issue, so you don't have to step up to anything bigger like e.g. SRX210 or SRX240 unless you need GigE on the LAN or something. You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need to bring your own modem rather than the ADSL provider putting one in. Hub: Question of scale, really. Size for throughput and site count and throw in your oversubscription ratio of choice, then go from there. E.g. if you're doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak of ~3.7 Gbps. That said, I have my doubts about all of your sites simultaneously pinning their download, hence factoring in an oversub ratio. At-a-glance SRX range comparo: http://www.juniper.net/us/en/products-services/security/srx-series/compare/ For crypto on the hub site, you could pair that up with an SRX as well. For the throughput you're looking at, something like a larger branch (SRX550/650) would probably be fine. You're still looking at a software router in those, so just be aware that pinning the control plane can hit your forwarding unless you step up to something in the high end / DC SRX range (1400 or higher). Some people do MX's with encryption services PICs [1], which gets you a proper routing platform, but that's obviously a different price point. If you're doing backup connections of some sort, a fairly clean way to handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel interfaces (st) per site. If you mean 4G at the branch, the two tunnels would have different external-interface settings defined. If the 4G was at the head office (which would be interesting from a bandwidth perspective), there would be two different ike-gateway addresses defined, pointing at the two different H/O IPs. You'd then want to check for liveness across those two tunnels, so run a protocol with appropriate metrics defined for the crypto interfaces. Beware that if you don't do anything about it on the hub or spokes, asymmetric routing across the two different tunnels could cause you some grief as the SRX caches ingress/egress interfaces for flows and will by default drop traffic ingressing on diff interface than it expects (e.g. ADSL fails and traffic now comes in over the 4G tunnel). You may need to either disable tcp syn-check and sequence check to deal with that [2][3][4][5], forgo flow processing stateful firewalling and chuck everything coming in over the tunnels into selective packet mode, or separate routing from the IPSEC termination and use some tunneling to land traffic on a proper, external router. Does anyone uses this setup and have success. SRX or J Series suites this requirement? Yes. Thx No problem. -- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure redphone) [1] http://kb.juniper.net/InfoCenter/index?page=contentid=KB19733 [2] http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084 [3] http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html [4]
Re: [j-nsp] VPN over ADSL With 4G Backup
On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji aji14...@gmail.com wrote: Need to connect 250 Outlets by using ADSL Over internet Static or DHCP at the outlets? At the Head end We have public address need to have 4G as backup. I can't parse this sentence. I get that you have a non-RFC1918 IP at the hub, by need to have 4G as backup do you mean that the hub site has/needs 4G backup or that the outlets/spokes will have/need 4G connections as backup to their primary ADSL connection? Which VPN technologies to be used We stick with routed IPSEC tunnels (stx.x). Scales better; simpler management of routing policy; and policy VPNs are just too opaque for my liking. That assumes that you have statics at the spokes, though, as doing routed ipsec tunnels with dynamic endpoints is a PITA. Please suggest the juniper device model at spokes and HUB. Probably best to talk to your SE. The suggestions below are just approximations based on some assumptions of your setup, and requisite grains of salt are suggested. Spokes: SRX100 or 110 for the spokes. I'm assuming since you said ADSL it's e.g. ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than higher rate VDSL2? An SRX100 can handle crypto stateful firewalling on that throughput without issue, so you don't have to step up to anything bigger like e.g. SRX210 or SRX240 unless you need GigE on the LAN or something. You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need to bring your own modem rather than the ADSL provider putting one in. Hub: Question of scale, really. Size for throughput and site count and throw in your oversubscription ratio of choice, then go from there. E.g. if you're doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak of ~3.7 Gbps. That said, I have my doubts about all of your sites simultaneously pinning their download, hence factoring in an oversub ratio. At-a-glance SRX range comparo: http://www.juniper.net/us/en/products-services/security/srx-series/compare/ For crypto on the hub site, you could pair that up with an SRX as well. For the throughput you're looking at, something like a larger branch (SRX550/650) would probably be fine. You're still looking at a software router in those, so just be aware that pinning the control plane can hit your forwarding unless you step up to something in the high end / DC SRX range (1400 or higher). Some people do MX's with encryption services PICs [1], which gets you a proper routing platform, but that's obviously a different price point. If you're doing backup connections of some sort, a fairly clean way to handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel interfaces (st) per site. If you mean 4G at the branch, the two tunnels would have different external-interface settings defined. If the 4G was at the head office (which would be interesting from a bandwidth perspective), there would be two different ike-gateway addresses defined, pointing at the two different H/O IPs. You'd then want to check for liveness across those two tunnels, so run a protocol with appropriate metrics defined for the crypto interfaces. Beware that if you don't do anything about it on the hub or spokes, asymmetric routing across the two different tunnels could cause you some grief as the SRX caches ingress/egress interfaces for flows and will by default drop traffic ingressing on diff interface than it expects (e.g. ADSL fails and traffic now comes in over the 4G tunnel). You may need to either disable tcp syn-check and sequence check to deal with that [2][3][4][5], forgo flow processing stateful firewalling and chuck everything coming in over the tunnels into selective packet mode, or separate routing from the IPSEC termination and use some tunneling to land traffic on a proper, external router. Does anyone uses this setup and have success. SRX or J Series suites this requirement? Yes. Thx No problem. -- Hugo h...@slabnet.com: email, xmpp/jabber PGP fingerprint (B178313E): CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E (also on textsecure redphone) [1] http://kb.juniper.net/InfoCenter/index?page=contentid=KB19733 [2] http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084 [3] http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html [4] http://kb.juniper.net/InfoCenter/index?page=contentid=KB25094 [5] http://kb.juniper.net/InfoCenter/index?page=contentid=KB21266 signature.asc Description: Digital signature ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] VPN over ADSL With 4G Backup
Need to connect 250 Outlets by using ADSL Over internet , At the Head end We have public address need to have 4G as backup. Which VPN technologies to be used, Please suggest the juniper device model at spokes and HUB. Does anyone uses this setup and have success. SRX or J Series suites this requirement? Thx ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp