Using OSPF to maintain site-site VPN across multiple WAN links

Having a Single Point of Failure (SPoF) on your network is never a desirable situation and recently I implemented a multi-site set-up where each site had two internet connections and there was a requirement to enable the satellite office to connect to the head office at all times. Each site has a Juniper SSG5-SB firewall as well as a 10Mbit leased line primary Internet circuit and an ADSL backup.

With the Juniper SSG firewalls it is possible to use Policy Based VPNs to maintain multiple tunnels and have the firewalls switch between these as required however you end up with four policies on each firewall and you cannot tell from looking at a routing table where the traffic is flowing. In this instance I decided to make use of OSPF to dynamically route the traffic depending on the availability of the VPNs at each site.

The first thing we need to do in order to implement this is to put each Internet connection into its own Virtual Router so they can run independently of each other.I have covered this in a recent blog post which you can read here.

Once you have the two firewalls setup with each Internet connection in its own virtual router we need to setup the VPNs. This is done with a new Zone in the trust-vr and we will need four numbered tunnel interfaces on each firewall.

On the second site firewall you will need to repeat the commands but using the other IP address in the /30 in each case.

Now we need to setup the VPN tunnels. You may want to change these based upon your requirements however I have used these settings regularly and they work well. NB you will need to apply similar settings on the Site-B firewall with the various endpoint addresses for SiteA

From the GUI you should be able to check that these have come up by going to VPN -> Monitor Status.

We now need to enable OSPF on the trust-vr and configure the interfaces to communicate using OSPF. This should be completed on both the primary and secondary site firewalls.

You can check the OSPF status by running the following command

Finally we need to setup policies to allow traffic to flow across the VPN between the two sites.

To test this you need to take down the Internet connections one by one and watch the routing table update on each firewall.
You should now see all four IPSec VPN Tunnels show as active and the route between sites will be via the Layer-3 tunnel interface for the relevant tunnel.

Hello world!

UPDATE 29/12: The content should all be mirrored across from the old blog to the new site. I am working on a URL rewrite for the old hyperlinks from search engines etc to link to the new blog but it looks to be up to date.

Hello, and welcome back to my blog. Over the years this site has been in a state of disarray and lack of updates so I have decided that an overhaul is needed to get this back on track. All the old additional content from my University days has been consigned to the Internet dustbin and the site is just going to be a location for me to blog about technology and things that interest me.

I am working on reimporting all the old content from the old database and making sure that the images are all touched up and reimported so if you are looking for an old article these should be back in the coming weeks.

Thanks,

Matt

Giving this blog a purpose

Having spent a long time ignoring this blog or simply linking to amusing things on the net that I found through sites like stumbleupon.com I think its time to try and focus what I am writing about and see if I can get a good set of useful articles written.

Having thought about it for about 5 minutes this morning I decided that it should be something related to what I do on a daily basis but also something that I have interest in otherwise what’s the point? Visualization was a first thought but I already read a good blog about vmware (http://www.techhead.co.uk) which I would probably end up plagiarising and isn’t the reason for this. The other thing that I am keen on at the moment in the world of technology is network monitoring and the technologies you can use for it.

Now I will say now I’m quite biased when I am looking at setting up a monitoring solution as I don’t really want to say for the extra hardware or software I use to monitor everything. This does mean I will look for a good open source application(s) to carry out a task and which I can customize rather than paying for a boxed product that does some of what I want to do but not everything.

Now I still like sharing interesting pages I find on the web but I may need to split the blog into 2 sections to look more professional… Still haven’t decided yet but don’t worry the random site links will still be there!

So what’s my first entry under the new incarnation of the blog? I think I will write up the “Howto” on building an open source monitoring machine that can keep an eye on your network. Expect it in a few days.

Coming home from Cyprus

Well I didn’t realise I hadn’t written a post for quite as long as I had!

 I have been really busy with work and other bits and pieces but am currently waiting to come back from Cyprus and get back to work.

Blog and Gallery are reskinned

This evening I decided to update the software that ran my photo gallery and once that had gone through successfully I started to look at the themes available for it.

After trying, and rejecting, the Ocadia theme I looked at one which allowed me to change the colour and style. I liked the layout and feel of Andreas09 but I wanted to have a blue site and so after a bit of hacking about with the theme I have changed from the Water Drop theme to Andreas09 in blue. But I still wasn’t happy – people could change the colour scheme from my beloved Blue2 to some other crazy colour scheme that didn’t look nearly as good. So a small bit of code modification later and I have removed the combo box.

The final result can be seen by clicking on the Gallery link on the home page or by going to http://www.matthewjwhite.co.uk/gallery

Now that I had my gallery looking nice I decided that WordPress was looking rather dull and boring with its standard Kubrick theme and could do with a facelift. A quick stop at the site of the author of the gallery theme (http://andreasviklund.com) and I browsed through to find a similar theme that would fit my WordPress blog. I settled for Andreas 0.8 Version 1.0 which compliments the gallery and is a welcome change from the WP standard theme.

If you are reading this then you are likely to be looking at the theme right now but if you aren’t then by clicking on the Blog link from my home page or going to http://www.matthewjwhite.co.uk/blog/index.php will let you see the theme in all its glory.

Install Vista without a CD key

Daniel Petri comes up with another great tip and insight into the way Microsoft’s software can be manipulated to do things you want to do. In this case how to trial different versions of Windows Vista. Once the activation deadline is reached you must put your legal key in for the version you installed to continue but… it does let you try the different versions first!

read more | digg story

The walk of shame

I’m sure you have all done it at some point in your life – stayed over at someone’s house and then had to make your way home the next morning with a hangover and generally thinking “Why did I do that last night?”

Microsoft amused by the iPhone – and rightly so

https://www.youtube.com/watch?v=C5oGaZIKYvo

Having seen and commented on the iPhone earlier this week I am happy to see that Microsoft have come back and agreed with my opinions that they have already got a number of devices that can do this and don’t cost an absolute fortune to buy.

I also loved the comment from Steve

“£500 dollars…. that’s the most expensive phone in the world and it doesn’t appeal to business customers because it doesn’t have a keyboard”

Great comeback.

Source [ Gizmodo ]