[j-nsp] VPN over ADSL With 4G Backup
Hugo Slabbert
hugo at slabnet.com
Fri Jun 12 13:15:00 EDT 2015
On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji <aji14730 at gmail.com> wrote:
>Need to connect 250 Outlets by using ADSL Over internet
Static or DHCP at the outlets?
>At the Head end We have public address need to have 4G as backup.
I can't parse this sentence. I get that you have a non-RFC1918 IP at the
hub, by "need to have 4G as backup" do you mean that the hub site has/needs
4G backup or that the outlets/spokes will have/need 4G connections as
backup to their primary ADSL connection?
>Which VPN technologies to be used
We stick with routed IPSEC tunnels (stx.x). Scales better; simpler
management of routing policy; and policy VPNs are just too opaque for my
liking. That assumes that you have statics at the spokes, though, as doing
routed ipsec tunnels with dynamic endpoints is a PITA.
>Please suggest the juniper device model at spokes and HUB.
Probably best to talk to your SE. The suggestions below are just
approximations based on some assumptions of your setup, and requisite
grains of salt are suggested.
Spokes:
SRX100 or 110 for the spokes. I'm assuming since you said "ADSL" it's e.g.
ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than higher
rate VDSL2? An SRX100 can handle crypto & stateful firewalling on that
throughput without issue, so you don't have to step up to anything bigger
like e.g. SRX210 or SRX240 unless you need GigE on the LAN or something.
You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need to
bring your own modem rather than the ADSL provider putting one in.
Hub:
Question of scale, really. Size for throughput and site count and throw in
your oversubscription ratio of choice, then go from there. E.g. if you're
doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak of ~3.7
Gbps. That said, I have my doubts about all of your sites simultaneously
pinning their download, hence factoring in an oversub ratio.
At-a-glance SRX range comparo:
http://www.juniper.net/us/en/products-services/security/srx-series/compare/
For crypto on the hub site, you could pair that up with an SRX as well.
For the throughput you're looking at, something like a larger branch
(SRX550/650) would probably be fine. You're still looking at a software
router in those, so just be aware that pinning the control plane can hit
your forwarding unless you step up to something in the high end / DC SRX
range (1400 or higher). Some people do MX's with encryption services PICs
[1], which gets you a proper routing platform, but that's obviously a
different price point.
If you're doing backup connections of some sort, a fairly clean way to
handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel
interfaces (st) per site. If you mean 4G at the branch, the two tunnels
would have different external-interface settings defined. If the 4G was at
the head office (which would be interesting from a bandwidth perspective),
there would be two different ike-gateway addresses defined, pointing at the
two different H/O IPs.
You'd then want to check for liveness across those two tunnels, so run a
protocol with appropriate metrics defined for the crypto interfaces.
Beware that if you don't do anything about it on the hub or spokes,
asymmetric routing across the two different tunnels could cause you some
grief as the SRX caches ingress/egress interfaces for flows and will by
default drop traffic ingressing on diff interface than it expects (e.g.
ADSL fails and traffic now comes in over the 4G tunnel).
You may need to either disable tcp syn-check and sequence check to deal
with that [2][3][4][5], forgo flow processing & stateful firewalling and
chuck everything coming in over the tunnels into selective packet mode, or
separate routing from the IPSEC termination and use some tunneling to land
traffic on a proper, external router.
>Does anyone uses this setup and have success. SRX or J Series suites this
>requirement?
Yes.
>Thx
No problem.
--
Hugo
hugo at slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319
1D77 9AB1 0FFD B178 313E
(also on textsecure & redphone)
[1] http://kb.juniper.net/InfoCenter/index?page=content&id=KB19733
[2]
http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084
[3]
http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html
[4] http://kb.juniper.net/InfoCenter/index?page=content&id=KB25094
[5] http://kb.juniper.net/InfoCenter/index?page=content&id=KB21266
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20150612/e00432b1/attachment.sig>
More information about the juniper-nsp
mailing list