RE: [fw-wiz] L2L VPN redundancy for T1 link

From: Sanford Reed (sanford.reed_at_cox.net)
Date: 04/21/05

  • Next message: Bruce B. Platt: "Re: [fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3"
    To: "'Stewart, John'" <johns@artesyncp.com>
    Date: Thu, 21 Apr 2005 03:41:05 -0400
    
    

    Actually more like this:

       Internet
           |
           |
           |
           |
           |
    +--------------+
    | |
    | T1 Router |
    | |
    | |
    +--------------+
           |
           |
           | ^
           | |
           |GRE Tunnel
           |Via VPN
           |Tunnel to
           | Site B
           |
           |
    +------+------+ +--------------+
    | | | |
    | | | VPN3005 |
    | Firewall +-----+ Concentrator +----- RAS Network
    | | | |
    | | +--------------+
    +------+------+
           |
           |
           |
           |
    +--------------+
    | Internal |
    | Router |
    + w/ GRE Tunnel+ T1 to site B
    | to Site B |----------------------->
    | Internal |
    | Router |
    +--------------+
           |
         Site A
         Internal
         Networks

    Yes, I did mean FW to FW. My previous statement saying to "'flipped' the
    Router" was not the best wording. I should have used the 'art' to better
    indicate what I was trying to say so see my modified ASCII art of what I
    meant. Sorry. I forgot that we were using the External Router to MLPS
    'merger several Internet T1s to get the bandwidth desired and to do BGP
    between two ISP Providers.

    The GRE tunnel passes the internal routing information (EIGRP) between site
    A & B. Because the GRE Tunnel is passing thru the VPN Tunnel the firewall
    Rules will be bypassed.

    The Internal Router maintains the possible routes to Site B and will
    automatically compensate for 'failure' of either possible route. The FW
    Tunnel keeps the data secure when it is passing over the Internet.

    However I have to point out that we did not have the 3005 to contend with
    however I'm thinking that if you modify it as I indicated above. Setup
    inbound rules to allow your Internet VPN users into the 3005 and then rules
    to allow traffic from the 3005 to 'pass-thru' to the internal address range
    it should work. This would have the added benefit of adding some FW controls
    to both the Internet VPN Clients and the RAS clients.

    If your Raptor can accept the Internet T1 directly then you can eliminate
    the external router.

    Sanford Reed
    (V) 757.406.7067

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Stewart,
    John
    Sent: Wednesday, April 20, 2005 1:01 PM
    To: 'sanford.reed@reed-assoc-llc.com'
    Cc: firewall-wizards@honor.icsalabs.com
    Subject: RE: [fw-wiz] L2L VPN redundancy for T1 link

    Sanford Reed wrote:

    > Our Router resided outside the Firewall with a HW - HW VPN tunnel
    > built between firewalls for fail over. To avid routing problems we
    > built a GRE connection via the VPN tunnel between internal routers
    > to pass the needed EIGRP info.
    >
    > I think this would work for you if you 'flipped' the Router
    > to the outside and configured it to do the Fail-over as needed.

    So here's what I think you are describing, in beautiful ASCII art:

       Internet
           |
           |
           | +--------------+
           | | |
           | | T1 Router | T1 to site B
           +------------+ +----------------------->
           | | |
           | +--------------+
           |
           |
           |
           | +--------------+
           | | |
           | | VPN3005 |
           +------------+ Concentrator |
           | | |
           | +-----+--------+
           | |
    +------+------+ |
    | | |
    | | |
    | Firewall +-----------+-----
    | | RAS Network
    | |
    +------+------+
           |
           |
           |
           |
       Site A
       Internal
       Networks

    You say that you have a HW-HW VPN tunnel (do you mean FW-FW?). How does the
    traffic destined for site B from site A internal networks not go through
    this, since the firewall is the first hop towards the T1 router (now
    external)?

    Do you somehow set up GRE to tunnel all internal traffic (along with EIGRP)
    from an internal (site A) router to the T1 router, so the firewall doesn't
    touch it? And then if the T1 tunnel (or the T1 router) fails, the default
    route will now be to the firewall, so then the FW-FW VPN tunnel takes over?

    Seems like this might also work if we move the L2L VPN tunnel over to the
    3005's, too. The firewall would simply have a route for site B networks
    pointing to the 3005.

    Sounds all a bit complicated, but if we want no single poitn of failure, I
    guess it is not simple.

    Interesting idea; thanks.

    johnS
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Bruce B. Platt: "Re: [fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3"

    Relevant Pages

    • Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN
      ... Internet over different paths after that. ... With a single LAN Router for all the segments, ... Then each "business" uses the Firewall they are supposed to use for the ...
      (microsoft.public.windows.server.networking)
    • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
      ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
      (comp.security.firewalls)
    • Re: Networking problems with router between 2 p.c.s
      ... >> router for internet access. ... >> disable the internet connection firewall in the LAN ... isn't suitable for use on a local area network. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Is this a wise configuration?
      ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
      (comp.os.linux.networking)
    • Re: MAJOR Hacking
      ... > efforts with router, personal firewalls, etc. Brand new computer ... > (AIM, internet expplorer, svchost.exe etc) accessing the internet ... > server whose IP seems to be masked to my firewall logs. ... Kerio Personal Firewall ...
      (microsoft.public.security)