Firewall Wizards mailing list archives
RE: L2L VPN redundancy for T1 link
From: "Sanford Reed" <sanford.reed () cox net>
Date: Wed, 20 Apr 2005 11:18:03 -0400
I had a similar situation but we were configured differently. Our Router resided outside the Firewall with a HW - HW VPN tunnel built between firewalls for fail over. To avid routing problems we built a GRE connection via the VPN tunnel between internal routers to pass the needed EIGRP info. I think this would work for you if you 'flipped' the Router to the outside and configured it to do the Fail-over as needed. BTW our HW was all Cisco. External Routers was 2621XM. FWs - PIX515E, Internal Routers - 3662 Sanford Reed (V) 757.406.7067 -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart, John Sent: Tuesday, April 19, 2005 6:55 PM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] L2L VPN redundancy for T1 link We have a remote office (site B) to which we have a T1 link (from site A). The routers on each side of this T1 are Cisco 2811's, and they reside internal on our trusted networks, talking EIGRP to our other internal routers on both sides. We currently have a site to site VPN connection between our firewalls, and the firewall on each side is the default route from the internal networks, so if the T1 goes down, the site A <-> site B traffic fails over to this L2L VPN, without any routing protocol needed on the firewall. We also have a Cisco VPN3005 on a RAS leg of our firewall, for users to connect from home and while traveling. I do plan to move the L2L VPN to be terminated on these at some point, though right now that is not the case (it is currently terminated on the firewalls). Site B has essentially the same gear (VPN3005 going in soon). A hopefully helpful diagram: Internet | | | +--------------+ | | | | | VPN3005 | +------------+ Concentrator | | | | | +-----+--------+ | | +------+------+ | | | | | | | | Firewall +-----------+----- | | RAS Network | | +------+------+ | | | +------+------+ | | | Internal | T1 to site B | T1 Router +-----------------------> | 2811 | | | +-------------+ The issue is that right now, when users connect with a VPN client to the site A VPN3005, they cannot access network resources at site B, and vice versa (since, on the firewall, the route to site B would be through the L2L VPN rather than towards the internal network where the T1 router resides). When we move the L2L VPN over to the 3005's, then I presume when a client connects to site A's VPN3005 and tries to access the network at site B, the traffic will go across the L2L VPN. However, the performance of this is spotty, and we'd really like to be able to have this traffic go across the T1 instead. We would like to: - Configure it such that traffic from VPN clients to the opposite site will go across the T1 link. - Still retain the L2L VPN as a failover for the T1 between A and B. - If possible, not have a single point of failure for the link between A and B. It seems relatively simple to satisfy the first two requirements, but I'm failing to see a good way to satisfy them all. One possibility: Connect an interface from the internal T1 router (a 2811) directly to the Internet network, bypassing the firewall (and do the same at site B). Set up the L2L VPN on these routers, and then if the T1 fails it will simply fail over to the VPN, terminated on the same box. PRO: Simple (KISS principle) - all data between site A and site B go through these routers regardless of whether the T1 is up or down. No routing protocols needed. CON: Adding a device directly on the Internet which bypasses our firewall. A misconfiguration in the ACLs could allow traffic in or out to the Internet which might have otherwise been stopped by the firewall. I've been whiteboarding other options, but they all either seem to require the firewall to speak a routing protocol, or have a single point of failure in the T1 routers. I'm fairly comfortable living with the latter, but I just want to make sure I'm not missing something here. Are there better options I am missing? Thank you! johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- Re: L2L VPN redundancy for T1 link John Kougoulos (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 20)
- RE: L2L VPN redundancy for T1 link Paul Melson (Apr 20)
- <Possible follow-ups>
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 21)