[fw-wiz] null routes and VPN's



Hello,

is it a wise idea to put a default route on the inside (trusted) side of a firewall with a high metric for when a VPN drops. Essentially, blackholing all traffic until the VPN comes back and the default route is again the end of the VPN?

Assuming there is a rule on the outside which allows only VPN traffic from the other end (point to point and only traffic allowed through the VPN) should both ends of the VPN have null routes for when its down ( for traffic within the VLAN for this VPN)?

What would be the implementation side affects, something along the lines of once the VPN is up its a matter of timeout on the routing protocol (say OSPF) to propagate the default route? Should a modernish firewall do this automagically anyway??

Cheers,
Kerry.



--
The Wellcome Trust Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. _______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: RRAS, NAT & External VPN Problem
    ... You were on the right track, but you can't route directly from the ... (ie are the firewalls the endpoint of the VPN ... (ie the firewall in LAN 1), not the RRAS router. ...
    (microsoft.public.win2000.ras_routing)
  • Re: VPN Routing Problem
    ... "route print" showed the absence of any path for 172.16.200.0 traffic, which of course is why it was getting routed through the default gateway. ... Of course, when the VPN Server decides to allocate a different IP address to the client, I wonder if the route will once more fail? ... I can't put IP reservations onto the DCHP server associated with the VPN service, so can only influence the range of IP addresses given. ...
    (alt.os.windows-xp)
  • Re: site2site pptp vpn between two dcs onthe same domain
    ... I have a setup where the defualt route for both site networks is the respective firewall. ... On the firewall, I add a static route back to the Net A RRAS box. ... The Net A RRAS box has a route out the VPN interface for that network. ...
    (microsoft.public.isa.vpn)
  • RE: Route added by RRAS that overrides local LAN route on NIC
    ... I am using SBS as the VPN server. ... The route I am speaking of is the route to local LAN that is put in the ... After the RAS client connects there is another route added so the two ...
    (microsoft.public.windows.server.sbs)
  • Re: Using pptp as VPN on FB7
    ... is the address of the VPN server, it is also the IP address of VPN gateway when I connected to the VPN tunnel. ... I think may be the route command in the mpd5 is something wrong or out-of-date? ... IPCP: LayerStart ... CCP: LayerStart ...
    (comp.unix.bsd.freebsd.misc)