Hi,
I need to make SRX to failover the PBR and VPN, only PBR is working with the follow config. The VPN is not working, when the first tunnel is down, the second never comes UP, could you help me? TKS
Interfaces:
set interfaces ge-0/0/0 unit 0 family inet address 192.168.9.11/24
set interfaces ge-0/0/1 vlan-tagging
ISP1:
set interfaces ge-0/0/1 unit 18 vlan-id 18
set interfaces ge-0/0/1 unit 18 family inet address 192.168.18.5/24
ISP2:
set interfaces ge-0/0/1 unit 16 vlan-id 16
set interfaces ge-0/0/1 unit 16 family inet address 192.168.16.5/29
=================================================================================
Tunnels:
set interfaces st0 unit 0 family inet
set interfaces st0 unit 0 family inet6
set interfaces st0 unit 1 family inet
set interfaces st0 unit 1 family inet6
set interfaces st1 unit 0
set security ike proposal teste-3des-fase1 authentication-method pre-shared-keys
set security ike proposal teste-3des-fase1 dh-group group2
set security ike proposal teste-3des-fase1 authentication-algorithm sha1
set security ike proposal teste-3des-fase1 encryption-algorithm 3des-cbc
set security ike proposal teste-3des-fase1 lifetime-seconds 86400
set security ike policy ike_pol_VPN-Teste mode main
set security ike policy ike_pol_VPN-Teste proposals teste-3des-fase1
set security ike policy ike_pol_VPN-Teste pre-shared-key ascii-text "XXXXXXXXXXXXXXXXX"
set security ike gateway gw_VPN-Teste ike-policy ike_pol_VPN-Teste
set security ike gateway gw_VPN-Teste address 1.1.1.1
set security ike gateway gw_VPN-Teste dead-peer-detection interval 10
set security ike gateway gw_VPN-Teste dead-peer-detection threshold 3
set security ike gateway gw_VPN-Teste external-interface ge-0/0/1.18
set security ipsec policy ipsec_pol_VPN-Teste perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_VPN-Teste proposals teste-fase2
set security ipsec vpn VPN-Teste bind-interface st0.0
set security ipsec vpn VPN-Teste ike gateway gw_VPN-Teste
set security ipsec vpn VPN-Teste ike proxy-identity local 192.168.9.0/24
set security ipsec vpn VPN-Teste ike proxy-identity remote 192.168.10.0/24
set security ipsec vpn VPN-Teste ike ipsec-policy ipsec_pol_VPN-Teste
set security ipsec vpn VPN-Teste establish-tunnels on-traffic
set security ike policy ike_pol_VPN-Teste2 mode main
set security ike policy ike_pol_VPN-Teste2 proposals teste-3des-fase1
set security ike policy ike_pol_VPN-Teste2 pre-shared-key ascii-text "XXXXXXXXXXXXXXXXX"
set security ike gateway gw_VPN-Teste2 ike-policy ike_pol_VPN-Teste2
set security ike gateway gw_VPN-Teste2 address 1.1.1.1
set security ike gateway gw_VPN-Teste2 dead-peer-detection interval 10
set security ike gateway gw_VPN-Teste2 dead-peer-detection threshold 3
set security ike gateway gw_VPN-Teste2 external-interface ge-0/0/1.16
set security ipsec proposal teste-fase2 protocol esp
set security ipsec proposal teste-fase2 authentication-algorithm hmac-sha1-96
set security ipsec proposal teste-fase2 encryption-algorithm 3des-cbc
set security ipsec proposal teste-fase2 lifetime-seconds 1800
set security ipsec policy ipsec_pol_VPN-Teste2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec_pol_VPN-Teste2 proposals teste-fase2
set security ipsec vpn VPN-Teste2 bind-interface st0.1
set security ipsec vpn VPN-Teste2 ike gateway gw_VPN-Teste2
set security ipsec vpn VPN-Teste2 ike proxy-identity local 192.168.9.0/24
set security ipsec vpn VPN-Teste2 ike proxy-identity remote 192.168.10.0/24
set security ipsec vpn VPN-Teste2 ike ipsec-policy ipsec_pol_VPN-Teste2
set security ipsec vpn VPN-Teste2 establish-tunnels on-traffic
======================================================================================
#NAT and PAT:
set security nat source rule-set NAT-WAN from zone trust
set security nat source rule-set NAT-WAN to zone untrust
set security nat source rule-set NAT-WAN rule PAT-WAN match source-address 192.168.9.0/24
set security nat source rule-set NAT-WAN rule PAT-WAN match destination-address 0.0.0.0/0
set security nat source rule-set NAT-WCS rule PAT-WAN then source-nat interface
# Rules:
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy policy_out_VPN-Teste match source-address addr_192_168_9_0_24
set security policies from-zone trust to-zone untrust policy policy_out_VPN-Teste match destination-address addr_192_168_10_0_24
set security policies from-zone trust to-zone untrust policy policy_out_VPN-Teste match application any
set security policies from-zone trust to-zone untrust policy policy_out_VPN-Teste then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security policies from-zone untrust to-zone trust policy policy_in_VPN-Teste match source-address addr_192_168_10_0_24
set security policies from-zone untrust to-zone trust policy policy_in_VPN-Teste match destination-address addr_192_168_9_0_24
set security policies from-zone untrust to-zone trust policy policy_in_VPN-Teste match application any
set security policies from-zone untrust to-zone trust policy policy_in_VPN-Teste then permit
set security zones security-zone trust tcp-rst
set security zones security-zone trust address-book address addr_192_168_9_0_24 192.168.9.0/24
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust address-book address addr_192_168_10_0_24 192.168.10.0/24
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.16 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/1.16 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/1.16 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.16 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/1.16 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces st0.0
set security zones security-zone untrust interfaces ge-0/0/1.18 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.18 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces st0.1
================================================================================
Routes:
set routing-options static route 186.192.90.5/32 next-hop 192.168.16.1
set routing-options static route 98.137.236.24/32 next-hop 192.168.15.1
set routing-options static route 0.0.0.0/0 next-hop 192.168.15.1
set routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.16.1 preference 2
set routing-options static route 192.168.10.0/24 next-hop st0.0
set routing-options static route 192.168.10.0/24 qualified-next-hop st0.1 preference 2
===========================================================================================
PBR:
set interfaces ge-0/0/0 unit 0 family inet filter input F1
set routing-options interface-routes rib-group inet IMPORT-PHY
set routing-options rib-groups IMPORT-PHY import-rib inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-1.inet.0
set routing-options rib-groups IMPORT-PHY import-rib FBF-2.inet.0
set firewall filter F1 term 1 from source-address 192.168.9.13/32
set firewall filter F1 term 1 from destination-address 200.147.67.142/32
set firewall filter F1 term 1 then routing-instance FBF-2
set firewall filter F1 term 2 from source-address 192.168.9.13/32
set firewall filter F1 term 2 from destination-address 208.84.244.116/32
set firewall filter F1 term 2 then routing-instance FBF-1
set firewall filter F1 term 3 from source-address 192.168.9.13/32
set firewall filter F1 term 3 from source-address 192.168.9.0/24
set firewall filter F1 term 3 from destination-address 0.0.0.0/0
set routing-instances FBF-1 instance-type forwarding
set routing-instances FBF-1 routing-options static route 0.0.0.0/0 next-hop 192.168.16.1
set routing-instances FBF-2 instance-type forwarding
set routing-instances FBF-2 routing-options static route 0.0.0.0/0 next-hop 192.168.15.1
=============================================================================================
RPM for PBR:
set services rpm probe Probe-Server test testsvr target address 186.192.90.5
set services rpm probe Probe-Server test testsvr probe-count 5
set services rpm probe Probe-Server test testsvr probe-interval 5
set services rpm probe Probe-Server test testsvr test-interval 5
set services rpm probe Probe-Server test testsvr thresholds successive-loss 5
set services rpm probe Probe-Server test testsvr thresholds total-loss 5
set services rpm probe Probe-Server test testsvr destination-interface ge-0/0/1.16
set services rpm probe Probe-Server test testsvr next-hop 192.168.16.1
set services rpm probe Probe-Server2 test testsvr target address 98.137.236.24
set services rpm probe Probe-Server2 test testsvr probe-count 5
set services rpm probe Probe-Server2 test testsvr probe-interval 5
set services rpm probe Probe-Server2 test testsvr test-interval 5
set services rpm probe Probe-Server2 test testsvr thresholds successive-loss 5
set services rpm probe Probe-Server2 test testsvr thresholds total-loss 5
set services rpm probe Probe-Server2 test testsvr destination-interface ge-0/0/1.18
set services rpm probe Probe-Server2 test testsvr next-hop 192.168.15.1
set services rpm probe Teste-Link test chaveamento target address 98.137.236.24
set services rpm probe Teste-Link test chaveamento probe-count 5
set services rpm probe Teste-Link test chaveamento probe-interval 5
set services rpm probe Teste-Link test chaveamento test-interval 5
set services rpm probe Teste-Link test chaveamento thresholds successive-loss 5
set services rpm probe Teste-Link test chaveamento thresholds total-loss 5
set services rpm probe Teste-Link test chaveamento destination-interface ge-0/0/1.18
set services rpm probe Teste-Link test chaveamento next-hop 192.168.15.1
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 192.168.15.1
set services ip-monitoring policy Server-Tracking2 match rpm-probe Probe-Server2
set services ip-monitoring policy Server-Tracking2 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 192.168.16.1
set services ip-monitoring policy teste-chaveameto match rpm-probe Teste-Link
set services ip-monitoring policy teste-chaveameto then preferred-route route 0.0.0.0/0 next-hop 192.168.16.1
set services ip-monitoring policy teste-chaveameto then interface ge-0/0/0.18 disable