Firewall Wizards mailing list archives

RE: L2L VPN redundancy for T1 link

From: "Sanford Reed" <sanford.reed () cox net>
Date: Thu, 21 Apr 2005 03:41:05 -0400

Actually more like this:

   Internet
       |
       |
       |
       |
       |
+--------------+
|              |
|  T1 Router   |                  
|              |
|              |
+--------------+
       |
       |
       |  ^
       |  |
       |GRE Tunnel
       |Via VPN
       |Tunnel to
       | Site B 
       |
       | 
+------+------+     +--------------+                  
|             |     |              |                  
|             |     | VPN3005      |                  
|   Firewall  +-----+ Concentrator +----- RAS Network
|             |     |              |                    
|             |     +--------------+         
+------+------+ 
       |        
       |        
       |
       |
+--------------+
|  Internal    |       
|   Router     |       
+ w/ GRE Tunnel+            T1 to site B                  
| to Site B    |-----------------------> 
| Internal     | 
|  Router      |
+--------------+ 
       |
     Site A  
     Internal
     Networks

Yes, I did mean FW to FW. My previous statement saying to "'flipped' the
Router" was not the best wording. I should have used the 'art' to better
indicate what I was trying to say so see my modified ASCII art of what I
meant. Sorry. I forgot that we were using the External Router to MLPS
'merger several Internet T1s to get the bandwidth desired and to do BGP
between two ISP Providers.

The GRE tunnel passes the internal routing information (EIGRP) between site
A & B. Because the GRE Tunnel is passing thru the VPN Tunnel the firewall
Rules will be bypassed. 

The Internal Router maintains the possible routes to Site B and will
automatically compensate for 'failure' of either possible route. The FW
Tunnel keeps the data secure when it is passing over the Internet.

However I have to point out that we did not have the 3005 to contend with
however I'm thinking that if you modify it as I indicated above. Setup
inbound rules to allow your Internet VPN users into the 3005 and then rules
to allow traffic from the 3005 to 'pass-thru' to the internal address range
it should work. This would have the added benefit of adding some FW controls
to both the Internet VPN Clients and the RAS clients. 

If your Raptor can accept the Internet T1 directly then you can eliminate
the external router.


Sanford Reed 
(V) 757.406.7067

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Stewart,
John
Sent: Wednesday, April 20, 2005 1:01 PM
To: 'sanford.reed () reed-assoc-llc com'
Cc: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] L2L VPN redundancy for T1 link


Sanford Reed wrote:

Our Router resided outside the Firewall with a HW - HW VPN tunnel
built between firewalls for fail over. To avid routing problems we 
built a GRE connection via the VPN tunnel between internal routers
to pass the needed EIGRP info. 

I think this would work for you if you 'flipped' the Router 
to the outside and configured it to do the Fail-over as needed.


So here's what I think you are describing, in beautiful ASCII art:



   Internet
       |
       |
       |            +--------------+
       |            |              |
       |            |  T1 Router   | T1 to site B
       +------------+              +----------------------->
       |            |              |
       |            +--------------+
       |
       |
       |
       |            +--------------+
       |            |              |
       |            | VPN3005      |
       +------------+ Concentrator |
       |            |              |
       |            +-----+--------+
       |                  |
+------+------+           |
|             |           |
|             |           |
|   Firewall  +-----------+-----
|             |    RAS Network
|             |
+------+------+
       |
       |
       |
       |
   Site A
   Internal
   Networks


You say that you have a HW-HW VPN tunnel (do you mean FW-FW?). How does the
traffic destined for site B from site A internal networks not go through
this, since the firewall is the first hop towards the T1 router (now
external)?

Do you somehow set up GRE to tunnel all internal traffic (along with EIGRP)
from an internal (site A) router to the T1 router, so the firewall doesn't
touch it? And then if the T1 tunnel (or the T1 router) fails, the default
route will now be to the firewall, so then the FW-FW VPN tunnel takes over?

Seems like this might also work if we move the L2L VPN tunnel over to the
3005's, too. The firewall would simply have a route for site B networks
pointing to the 3005. 

Sounds all a bit complicated, but if we want no single poitn of failure, I
guess it is not simple.

Interesting idea; thanks.

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- Re: L2L VPN redundancy for T1 link John Kougoulos (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 20)
- RE: L2L VPN redundancy for T1 link Paul Melson (Apr 20)
- <Possible follow-ups>
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
  - RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 21)