[fw-wiz] L2L VPN redundancy for T1 link

From: Stewart, John (johns_at_artesyncp.com)
Date: 04/20/05

  • Next message: Graham Allan: "Re: [fw-wiz] Out of Band management"
    To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 19 Apr 2005 18:55:19 -0500
    
    

    We have a remote office (site B) to which we have a T1 link (from site A).
    The routers on each side of this T1 are Cisco 2811's, and they reside
    internal on our trusted networks, talking EIGRP to our other internal
    routers on both sides.

    We currently have a site to site VPN connection between our firewalls, and
    the firewall on each side is the default route from the internal networks,
    so if the T1 goes down, the site A <-> site B traffic fails over to this L2L
    VPN, without any routing protocol needed on the firewall.

    We also have a Cisco VPN3005 on a RAS leg of our firewall, for users to
    connect from home and while traveling. I do plan to move the L2L VPN to be
    terminated on these at some point, though right now that is not the case (it
    is currently terminated on the firewalls).

    Site B has essentially the same gear (VPN3005 going in soon).

    A hopefully helpful diagram:

        Internet
           |
           |
           | +--------------+
           | | |
           | | VPN3005 |
           +------------+ Concentrator |
           | | |
           | +-----+--------+
           | |
    +------+------+ |
    | | |
    | | |
    | Firewall +-----------+-----
    | | RAS Network
    | |
    +------+------+
           |
           |
           |
    +------+------+
    | |
    | Internal | T1 to site B
    | T1 Router +----------------------->
    | 2811 |
    | |
    +-------------+

    The issue is that right now, when users connect with a VPN client to the
    site A VPN3005, they cannot access network resources at site B, and vice
    versa (since, on the firewall, the route to site B would be through the L2L
    VPN rather than towards the internal network where the T1 router resides).

    When we move the L2L VPN over to the 3005's, then I presume when a client
    connects to site A's VPN3005 and tries to access the network at site B, the
    traffic will go across the L2L VPN. However, the performance of this is
    spotty, and we'd really like to be able to have this traffic go across the
    T1 instead.

    We would like to:

    - Configure it such that traffic from VPN clients to the opposite site will
    go across the T1 link.
    - Still retain the L2L VPN as a failover for the T1 between A and B.
    - If possible, not have a single point of failure for the link between A and
    B.

    It seems relatively simple to satisfy the first two requirements, but I'm
    failing to see a good way to satisfy them all. One possibility:

    Connect an interface from the internal T1 router (a 2811) directly to the
    Internet network, bypassing the firewall (and do the same at site B). Set up
    the L2L VPN on these routers, and then if the T1 fails it will simply fail
    over to the VPN, terminated on the same box.

    PRO:
    Simple (KISS principle) - all data between site A and site B go through
    these routers regardless of whether the T1 is up or down. No routing
    protocols needed.

    CON:
    Adding a device directly on the Internet which bypasses our firewall. A
    misconfiguration in the ACLs could allow traffic in or out to the Internet
    which might have otherwise been stopped by the firewall.

    I've been whiteboarding other options, but they all either seem to require
    the firewall to speak a routing protocol, or have a single point of failure
    in the T1 routers. I'm fairly comfortable living with the latter, but I just
    want to make sure I'm not missing something here.

    Are there better options I am missing?

    Thank you!

    johnS
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Graham Allan: "Re: [fw-wiz] Out of Band management"