[j-nsp] VPN over ADSL With 4G Backup

Hugo Slabbert hugo at slabnet.com
Fri Jun 12 13:15:00 EDT 2015 

On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji <aji14730 at gmail.com> wrote:

>Need to connect 250 Outlets by using ADSL Over internet

Static or DHCP at the outlets?

>At the Head end We have public address need to have 4G as backup.

I can't parse this sentence.  I get that you have a non-RFC1918 IP at the 
hub, by "need to have 4G as backup" do you mean that the hub site has/needs 
4G backup or that the outlets/spokes will have/need 4G connections as 
backup to their primary ADSL connection?

>Which VPN technologies to be used

We stick with routed IPSEC tunnels (stx.x).  Scales better; simpler 
management of routing policy; and policy VPNs are just too opaque for my 
liking.  That assumes that you have statics at the spokes, though, as doing 
routed ipsec tunnels with dynamic endpoints is a PITA.

>Please suggest the juniper device model at spokes and HUB.

Probably best to talk to your SE.  The suggestions below are just 
approximations based on some assumptions of your setup, and requisite 
grains of salt are suggested.

Spokes:
SRX100 or 110 for the spokes.  I'm assuming since you said "ADSL" it's e.g.  
ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than higher 
rate VDSL2?  An SRX100 can handle crypto & stateful firewalling on that 
throughput without issue, so you don't have to step up to anything bigger 
like e.g. SRX210 or SRX240 unless you need GigE on the LAN or something.

You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need to 
bring your own modem rather than the ADSL provider putting one in.


Hub:

Question of scale, really.  Size for throughput and site count and throw in 
your oversubscription ratio of choice, then go from there.  E.g. if you're 
doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak of ~3.7 
Gbps.  That said, I have my doubts about all of your sites simultaneously 
pinning their download, hence factoring in an oversub ratio.

At-a-glance SRX range comparo:
http://www.juniper.net/us/en/products-services/security/srx-series/compare/

For crypto on the hub site, you could pair that up with an SRX as well.  
For the throughput you're looking at, something like a larger branch 
(SRX550/650) would probably be fine.  You're still looking at a software 
router in those, so just be aware that pinning the control plane can hit 
your forwarding unless you step up to something in the high end / DC SRX 
range (1400 or higher).  Some people do MX's with encryption services PICs 
[1], which gets you a proper routing platform, but that's obviously a 
different price point.

If you're doing backup connections of some sort, a fairly clean way to 
handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel 
interfaces (st) per site.  If you mean 4G at the branch, the two tunnels 
would have different external-interface settings defined.  If the 4G was at 
the head office (which would be interesting from a bandwidth perspective), 
there would be two different ike-gateway addresses defined, pointing at the 
two different H/O IPs.

You'd then want to check for liveness across those two tunnels, so run a 
protocol with appropriate metrics defined for the crypto interfaces.

Beware that if you don't do anything about it on the hub or spokes, 
asymmetric routing across the two different tunnels could cause you some 
grief as the SRX caches ingress/egress interfaces for flows and will by 
default drop traffic ingressing on diff interface than it expects (e.g.  
ADSL fails and traffic now comes in over the 4G tunnel).

You may need to either disable tcp syn-check and sequence check to deal 
with that [2][3][4][5], forgo flow processing & stateful firewalling and 
chuck everything coming in over the tunnels into selective packet mode, or 
separate routing from the IPSEC termination and use some tunneling to land 
traffic on a proper, external router.

>Does anyone uses this setup and have success. SRX or J Series suites this
>requirement?

Yes.

>Thx

No problem.

-- 
Hugo

hugo at slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319
1D77 9AB1 0FFD B178 313E
(also on textsecure & redphone)

[1] http://kb.juniper.net/InfoCenter/index?page=content&id=KB19733
[2] 
http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084
[3] 
http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html
[4] http://kb.juniper.net/InfoCenter/index?page=content&id=KB25094
[5] http://kb.juniper.net/InfoCenter/index?page=content&id=KB21266
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20150612/e00432b1/attachment.sig>

More information about the juniper-nsp mailing list