For Juniper NetScreen-NS25, I configured a site-to-site IPSec tunnnel. For the outside interface of remote site, I also needed to go through tunnel which has the same IP as IPSec gateway. Now, when I add static route to route that outside interface IP through tunnel while tunnel is up, there would be no problem at all but if the tunnel is down for some reason, it cannot be re-established as the routing for the IPSec gateway IP which is the same as outside interface IP is set to go through tunnel which it needed to re-etablish at that time. So, packets won't hit that IP. I tried adding another routing entry which has metric 2 through other gateway but it did'nt succeeded. So, what type of routing should I configure to reach that IP when tunnel is down. Thanks in advance.
Asked
Active
Viewed 900 times
1
-
Can you show `get int`, `get ike gateway` and `get vpn` from both? – bahamat Jul 31 '12 at 22:21
1 Answers
1
You should have a routing to the end point over the interface device. This will take preference to a wider routing to the servers behind the tunnel. Lower metrics are higher priority. Metric 2 won't be used if metric 1 or 0 is available.
Failover routing needs to be configure with some sort of monitoring software which will change routing. Mixing routings to the same IP address is difficult to get right.
BillThor
- 27,354
- 3
- 35
- 69