[j-nsp] VPN over ADSL With 4G Backup
aji14730 at gmail.com
Sat Jun 13 04:39:11 EDT 2015
Appreciated your inputs.
To make it bit more clear.
We will have a non RFC1918 IP address at the hub and the spokes will get a
dynamic IP from the provider through ADSl 2+.
the spokes should have a 4G as backup for the ADSL2+.
How the backup link should be configured.
I assume at the hub st0.x multipoint will be configured.
do you have any suggestions regarding the configurations.
On Fri, Jun 12, 2015 at 8:15 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
> On Thu 2015-Jun-11 23:27:22 +0300, Nc Aji <aji14730 at gmail.com> wrote:
> Need to connect 250 Outlets by using ADSL Over internet
> Static or DHCP at the outlets?
> At the Head end We have public address need to have 4G as backup.
> I can't parse this sentence. I get that you have a non-RFC1918 IP at the
> hub, by "need to have 4G as backup" do you mean that the hub site has/needs
> 4G backup or that the outlets/spokes will have/need 4G connections as
> backup to their primary ADSL connection?
> Which VPN technologies to be used
> We stick with routed IPSEC tunnels (stx.x). Scales better; simpler
> management of routing policy; and policy VPNs are just too opaque for my
> liking. That assumes that you have statics at the spokes, though, as doing
> routed ipsec tunnels with dynamic endpoints is a PITA.
> Please suggest the juniper device model at spokes and HUB.
> Probably best to talk to your SE. The suggestions below are just
> approximations based on some assumptions of your setup, and requisite
> grains of salt are suggested.
> SRX100 or 110 for the spokes. I'm assuming since you said "ADSL" it's
> e.g. ADSL2+ or similar, so lower speeds (-le 15 mbps down) rather than
> higher rate VDSL2? An SRX100 can handle crypto & stateful firewalling on
> that throughput without issue, so you don't have to step up to anything
> bigger like e.g. SRX210 or SRX240 unless you need GigE on the LAN or
> You could also go for the SRX110H-VA with built-in ADSL/VDSL if you need
> to bring your own modem rather than the ADSL provider putting one in.
> Question of scale, really. Size for throughput and site count and throw
> in your oversubscription ratio of choice, then go from there. E.g. if
> you're doing 15 mbps ADSL per site @ 250 sites, that's a theoretical peak
> of ~3.7 Gbps. That said, I have my doubts about all of your sites
> simultaneously pinning their download, hence factoring in an oversub ratio.
> At-a-glance SRX range comparo:
> For crypto on the hub site, you could pair that up with an SRX as well.
> For the throughput you're looking at, something like a larger branch
> (SRX550/650) would probably be fine. You're still looking at a software
> router in those, so just be aware that pinning the control plane can hit
> your forwarding unless you step up to something in the high end / DC SRX
> range (1400 or higher). Some people do MX's with encryption services PICs
> , which gets you a proper routing platform, but that's obviously a
> different price point.
> If you're doing backup connections of some sort, a fairly clean way to
> handle that in a routed IPSEC tunnel solution would be 2x crypto tunnel
> interfaces (st) per site. If you mean 4G at the branch, the two tunnels
> would have different external-interface settings defined. If the 4G was at
> the head office (which would be interesting from a bandwidth perspective),
> there would be two different ike-gateway addresses defined, pointing at the
> two different H/O IPs.
> You'd then want to check for liveness across those two tunnels, so run a
> protocol with appropriate metrics defined for the crypto interfaces.
> Beware that if you don't do anything about it on the hub or spokes,
> asymmetric routing across the two different tunnels could cause you some
> grief as the SRX caches ingress/egress interfaces for flows and will by
> default drop traffic ingressing on diff interface than it expects (e.g.
> ADSL fails and traffic now comes in over the 4G tunnel).
> You may need to either disable tcp syn-check and sequence check to deal
> with that , forgo flow processing & stateful firewalling and
> chuck everything coming in over the tunnels into selective packet mode, or
> separate routing from the IPSEC termination and use some tunneling to land
> traffic on a proper, external router.
> Does anyone uses this setup and have success. SRX or J Series suites this
> No problem.
> hugo at slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319
> 1D77 9AB1 0FFD B178 313E
> (also on textsecure & redphone)
>  http://kb.juniper.net/InfoCenter/index?page=content&id=KB19733
>  http://kb.juniper.net/InfoCenter/index?page=content&id=KB25094
>  http://kb.juniper.net/InfoCenter/index?page=content&id=KB21266
More information about the juniper-nsp