RE: [fw-wiz] L2L VPN redundancy for T1 link

From: Stewart, John (johns_at_artesyncp.com)
Date: 04/20/05

  • Next message: Mike Tubby: "[fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3"
    To: "'sanford.reed@reed-assoc-llc.com'" <sanford.reed@reed-assoc-llc.com>
    Date: Wed, 20 Apr 2005 13:00:56 -0500
    
    

    Sanford Reed wrote:

    > Our Router resided outside the Firewall with a HW - HW VPN tunnel
    > built between firewalls for fail over. To avid routing problems we
    > built a GRE connection via the VPN tunnel between internal routers
    > to pass the needed EIGRP info.
    >
    > I think this would work for you if you 'flipped' the Router
    > to the outside and configured it to do the Fail-over as needed.

    So here's what I think you are describing, in beautiful ASCII art:

       Internet
           |
           |
           | +--------------+
           | | |
           | | T1 Router | T1 to site B
           +------------+ +----------------------->
           | | |
           | +--------------+
           |
           |
           |
           | +--------------+
           | | |
           | | VPN3005 |
           +------------+ Concentrator |
           | | |
           | +-----+--------+
           | |
    +------+------+ |
    | | |
    | | |
    | Firewall +-----------+-----
    | | RAS Network
    | |
    +------+------+
           |
           |
           |
           |
       Site A
       Internal
       Networks

    You say that you have a HW-HW VPN tunnel (do you mean FW-FW?). How does the
    traffic destined for site B from site A internal networks not go through
    this, since the firewall is the first hop towards the T1 router (now
    external)?

    Do you somehow set up GRE to tunnel all internal traffic (along with EIGRP)
    from an internal (site A) router to the T1 router, so the firewall doesn't
    touch it? And then if the T1 tunnel (or the T1 router) fails, the default
    route will now be to the firewall, so then the FW-FW VPN tunnel takes over?

    Seems like this might also work if we move the L2L VPN tunnel over to the
    3005's, too. The firewall would simply have a route for site B networks
    pointing to the 3005.

    Sounds all a bit complicated, but if we want no single poitn of failure, I
    guess it is not simple.

    Interesting idea; thanks.

    johnS
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mike Tubby: "[fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3"

    Relevant Pages

    • Re: Just venting (totally OT)
      ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... not visiting dodgy Websites. ... The protection that it does supply is also provided by ...
      (uk.people.support.depression)
    • Re: Just venting (totally OT)
      ... how long it plays for because it's all been ripped on to hard disc ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... The protection that it does supply is also provided by ...
      (uk.people.support.depression)
    • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
      ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
      (microsoft.public.security)
    • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
      ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
      (microsoft.public.security)
    • Re: Just venting (totally OT)
      ... long it plays for because it's all been ripped on to hard disc so it ... I'm paranoid about opening up my firewall "just in case..." ... having the protection of a router, not opening dodgy emails, and not ... The protection that it does supply is also provided by your router ...
      (uk.people.support.depression)