GET A 100%
DEPOSIT BONUS
aw
MS TSMulti-Site Dual ISP Redundant Site-to-Site
VPN with OSPF Failover
By Mike Lutgen January 2016
This document covers the configuration of a multi-site VPN scenario with dual ISPs and
quadruple VPN tunnels at each site. This scenario has three sites, two remote branches and one
main site, Each location has two ISP connections, the remote branches do not connect directly
to each other, only to the main site but with a full mesh configuration (4 tunnels per remote
site). This design will support the loss of a single connection at all of the three sites concurrently
while maintaining full connectivi
To get started, the below is a quick (albeit messy) diagram of the scenario network. The black
lines represent physical ISP connections, the red lines represent VPN tunnels from the main
site's primary ISP connection and the yellow lines represent VPN tunnels from the main site’s
secondary ISP connection. Below the diagram there is a layout of each of the VPN tunnels with
addressing. The addressing at either end of the line is the physical interface addressing on the
firewalls and the the addressing below each of the lines at either end represent the addresses
on the tunnel interfaces on each end of the VPN tunnel.
Each of the ISP connections have a separate address range in the 10.75.200.x to 10.75.205.x
range, this is to best simulate a true distributed environment with completely separate address
ranges. Also the tunnel interfaces utilize a /30 subnet, this is because there will never be more
than two tunnel interfaces as a part of a single VPN tunnel so there is no need to waste
addresses by using a larger subnet.
This guide assumes that the ISP connections at each site are alive and routing correctly.4175200 $¢ sare rt
1075209 $8 sr rt
161080 an 980
er) tonssam0 ‘770488
$078.20 2 gg pos
To begin, create the tunnel interfaces on each of the firewalls (Network->interfaces->Tunnel),
assign the appropriate IP addressing to each of them and add them to the appropriate zones.
Keep in mind that the tunnel interface addressing must match on either side of the tunnel so,
keep track of which interfaces have which addresses assigned (easiest to just go in order). In
this scenario they will all be added to a single zone called “vpn; this is a generally insecure
method (as intra-zone traffic is permitted by default). This configuration is only recommendedas an initial setup measure to verify traffic is passing correctly before imposing security
restrictions on it. Don’t worry about assigning a Virtual router to these interfaces yet.
In this scenario each remote site will have 4 tunnel interfaces because there will be a total of 4
tunnels built and the main site will have 8 tunnel interfaces because it will have 8 tunnels.
Next move to IPSec Tunnels, (Network->IPSec Tunnels) there will be 4 tunnels for each remote
site and 8 at the main site. Give each tunnel a name, specify the tunnel interface to be used for
that tunnel and in the drop-down for IKE Gateway click the link to create a new IKE Gateway.In the new IKE Gateway window specify the name, the physical interface this tunnel will be tied
to, select the IP address in the drop-down (optional if only a single IP address is assigned to that
interface), and specify the peer address and pre-shared key for this tunnel.
cme oot Oe
fore @ sO open
Metotn @ heSastay Octane
After clicking OK on the IKE Gateway creation window, select that newly created IKE Gateway
from the drop-down back in the IPSec Tunnel creation window, then check the box for Tunnel
Monitor, specify the IP address for the tunnel interface on the other side of this tunnel (the
tunnel interface’s address on the peer side), and select the default Monitor profile (this will be
adjusted later, create a unique Monitor Profile right away if desired). Do not specify any Proxy
IDs, leave everything on that tab blank. Each of these tunnels will remain red (down) until the
configuration is completed and committed on both of the peers.
Now move to Virtual Routers, every site will have 3 virtual routers (no matter the number of
tunnels); one for each ISP and one for all other interfaces. The reason for this is that in order to
communicate each ISP connection will need a next-hop. Multiple default gateway routes in a
single virtual router will not accomplish this and traffic originating from the firewall does not
follow Policy-Based Forwarding rules,
Create each of the ISP virtual routers, add the physical interface of the firewall that is,
connected to that ISP and in static routes add a default route for that ISPs next hop.After that, create the third virtual router and add all other interfaces to this one, including all
tunnel interfaces. if local internet access is desired at that site, add a default route pointing to
the virtual router of the primary ISP as the next hop.
Then move to Redistribution Profile and click Add. Name it, set priority (1), select Connect,
and then add all connected interfaces that should have their directly connected address ranges
advertised through OSPF to the other locations. Optionally create a secondary redistribution
profile with a priority of 2 selecting Static and specifying static routes you'd like to redistribute
to other locations in the middle column (under Destination).