GET A 100% DEPOSIT BONUS aw MS TSMulti-Site Dual ISP Redundant Site-to-Site VPN with OSPF Failover By Mike Lutgen January 2016 This document covers the configuration of a multi-site VPN scenario with dual ISPs and quadruple VPN tunnels at each site. This scenario has three sites, two remote branches and one main site, Each location has two ISP connections, the remote branches do not connect directly to each other, only to the main site but with a full mesh configuration (4 tunnels per remote site). This design will support the loss of a single connection at all of the three sites concurrently while maintaining full connectivi To get started, the below is a quick (albeit messy) diagram of the scenario network. The black lines represent physical ISP connections, the red lines represent VPN tunnels from the main site's primary ISP connection and the yellow lines represent VPN tunnels from the main site’s secondary ISP connection. Below the diagram there is a layout of each of the VPN tunnels with addressing. The addressing at either end of the line is the physical interface addressing on the firewalls and the the addressing below each of the lines at either end represent the addresses on the tunnel interfaces on each end of the VPN tunnel. Each of the ISP connections have a separate address range in the 10.75.200.x to 10.75.205.x range, this is to best simulate a true distributed environment with completely separate address ranges. Also the tunnel interfaces utilize a /30 subnet, this is because there will never be more than two tunnel interfaces as a part of a single VPN tunnel so there is no need to waste addresses by using a larger subnet. This guide assumes that the ISP connections at each site are alive and routing correctly.4175200 $¢ sare rt 1075209 $8 sr rt 161080 an 980 er) tonssam0 ‘770488 $078.20 2 gg pos To begin, create the tunnel interfaces on each of the firewalls (Network->interfaces->Tunnel), assign the appropriate IP addressing to each of them and add them to the appropriate zones. Keep in mind that the tunnel interface addressing must match on either side of the tunnel so, keep track of which interfaces have which addresses assigned (easiest to just go in order). In this scenario they will all be added to a single zone called “vpn; this is a generally insecure method (as intra-zone traffic is permitted by default). This configuration is only recommendedas an initial setup measure to verify traffic is passing correctly before imposing security restrictions on it. Don’t worry about assigning a Virtual router to these interfaces yet. In this scenario each remote site will have 4 tunnel interfaces because there will be a total of 4 tunnels built and the main site will have 8 tunnel interfaces because it will have 8 tunnels. Next move to IPSec Tunnels, (Network->IPSec Tunnels) there will be 4 tunnels for each remote site and 8 at the main site. Give each tunnel a name, specify the tunnel interface to be used for that tunnel and in the drop-down for IKE Gateway click the link to create a new IKE Gateway.In the new IKE Gateway window specify the name, the physical interface this tunnel will be tied to, select the IP address in the drop-down (optional if only a single IP address is assigned to that interface), and specify the peer address and pre-shared key for this tunnel. cme oot Oe fore @ sO open Metotn @ heSastay Octane After clicking OK on the IKE Gateway creation window, select that newly created IKE Gateway from the drop-down back in the IPSec Tunnel creation window, then check the box for Tunnel Monitor, specify the IP address for the tunnel interface on the other side of this tunnel (the tunnel interface’s address on the peer side), and select the default Monitor profile (this will be adjusted later, create a unique Monitor Profile right away if desired). Do not specify any Proxy IDs, leave everything on that tab blank. Each of these tunnels will remain red (down) until the configuration is completed and committed on both of the peers. Now move to Virtual Routers, every site will have 3 virtual routers (no matter the number of tunnels); one for each ISP and one for all other interfaces. The reason for this is that in order to communicate each ISP connection will need a next-hop. Multiple default gateway routes in a single virtual router will not accomplish this and traffic originating from the firewall does not follow Policy-Based Forwarding rules, Create each of the ISP virtual routers, add the physical interface of the firewall that is, connected to that ISP and in static routes add a default route for that ISPs next hop.After that, create the third virtual router and add all other interfaces to this one, including all tunnel interfaces. if local internet access is desired at that site, add a default route pointing to the virtual router of the primary ISP as the next hop. Then move to Redistribution Profile and click Add. Name it, set priority (1), select Connect, and then add all connected interfaces that should have their directly connected address ranges advertised through OSPF to the other locations. Optionally create a secondary redistribution profile with a priority of 2 selecting Static and specifying static routes you'd like to redistribute to other locations in the middle column (under Destination).