[j-nsp] VPN over ADSL With 4G Backup

Nc Aji aji14730 at gmail.com
Sat Jun 13 04:39:11 EDT 2015

Appreciated your inputs.

To make it bit more clear.

We will have a non RFC1918 IP address at the hub and the spokes will get a
dynamic IP from the provider through ADSl 2+.

the spokes should have a 4G as backup  for the ADSL2+.

How the backup link should be configured.

I assume at the hub st0.x multipoint will be configured.

do you have any suggestions regarding the configurations.


On Fri, Jun 12, 2015 at 8:15 PM, Hugo Slabbert <hugo at slabnet.com> wrote:

> On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji <aji14730 at gmail.com> wrote:
>  Need to connect 250 Outlets by using ADSL Over internet
> Static or DHCP at the outlets?
>  At the Head end We have public address need to have 4G as backup.
> I can't parse this sentence.  I get that you have a non-RFC1918 IP at the
> hub, by "need to have 4G as backup" do you mean that the hub site has/needs
> 4G backup or that the outlets/spokes will have/need 4G connections as
> backup to their primary ADSL connection?
>  Which VPN technologies to be used
> We stick with routed IPSEC tunnels (stx.x).  Scales better; simpler
> management of routing policy; and policy VPNs are just too opaque for my
> liking.  That assumes that you have statics at the spokes, though, as doing
> routed ipsec tunnels with dynamic endpoints is a PITA.
>  Please suggest the juniper device model at spokes and HUB.
> Probably best to talk to your SE.  The suggestions below are just
> approximations based on some assumptions of your setup, and requisite
> grains of salt are suggested.
> Spokes:
> SRX100 or 110 for the spokes.  I'm assuming since you said "ADSL" it's
> e.g.  ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than
> higher rate VDSL2?  An SRX100 can handle crypto & stateful firewalling on
> that throughput without issue, so you don't have to step up to anything
> bigger like e.g. SRX210 or SRX240 unless you need GigE on the LAN or
> something.
> You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need
> to bring your own modem rather than the ADSL provider putting one in.
> Hub:
> Question of scale, really.  Size for throughput and site count and throw
> in your oversubscription ratio of choice, then go from there.  E.g. if
> you're doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak
> of ~3.7 Gbps.  That said, I have my doubts about all of your sites
> simultaneously pinning their download, hence factoring in an oversub ratio.
> At-a-glance SRX range comparo:
> http://www.juniper.net/us/en/products-services/security/srx-series/compare/
> For crypto on the hub site, you could pair that up with an SRX as well.
> For the throughput you're looking at, something like a larger branch
> (SRX550/650) would probably be fine.  You're still looking at a software
> router in those, so just be aware that pinning the control plane can hit
> your forwarding unless you step up to something in the high end / DC SRX
> range (1400 or higher).  Some people do MX's with encryption services PICs
> [1], which gets you a proper routing platform, but that's obviously a
> different price point.
> If you're doing backup connections of some sort, a fairly clean way to
> handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel
> interfaces (st) per site.  If you mean 4G at the branch, the two tunnels
> would have different external-interface settings defined.  If the 4G was at
> the head office (which would be interesting from a bandwidth perspective),
> there would be two different ike-gateway addresses defined, pointing at the
> two different H/O IPs.
> You'd then want to check for liveness across those two tunnels, so run a
> protocol with appropriate metrics defined for the crypto interfaces.
> Beware that if you don't do anything about it on the hub or spokes,
> asymmetric routing across the two different tunnels could cause you some
> grief as the SRX caches ingress/egress interfaces for flows and will by
> default drop traffic ingressing on diff interface than it expects (e.g.
> ADSL fails and traffic now comes in over the 4G tunnel).
> You may need to either disable tcp syn-check and sequence check to deal
> with that [2][3][4][5], forgo flow processing & stateful firewalling and
> chuck everything coming in over the tunnels into selective packet mode, or
> separate routing from the IPSEC termination and use some tunneling to land
> traffic on a proper, external router.
>  Does anyone uses this setup and have success. SRX or J Series suites this
>> requirement?
> Yes.
>  Thx
> No problem.
> --
> Hugo
> hugo at slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319
> 1D77 9AB1 0FFD B178 313E
> (also on textsecure & redphone)
> [1] http://kb.juniper.net/InfoCenter/index?page=content&id=KB19733
> [2]
> http://forums.juniper.net/t5/SRX-Services-Gateway/asymmetry-problem/td-p/250084
> [3]
> http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/session-tcp-packet-security-check-for-srx-series-disabling-cli.html
> [4] http://kb.juniper.net/InfoCenter/index?page=content&id=KB25094
> [5] http://kb.juniper.net/InfoCenter/index?page=content&id=KB21266

More information about the juniper-nsp mailing list