Firewall Wizards mailing list archives
RE: L2L VPN redundancy for T1 link
From: "Paul Melson" <psmelson () comcast net>
Date: Wed, 20 Apr 2005 11:52:13 -0400
Can we safely assume that, since the other devices in the mix here are Cisco products that when you say "firewall" that you're talking about a PIX? (Hence the reluctance to ask the firewall to do any routing?) Anyway, I think you've painted yourself into a corner here. You might be able to eliminate the RAS network and attach the 3005 to your internal network, and configure it to do RRI and OSPF with the 2811 to get path failover there. But that still requires that all traffic passes through the 2811, it just happens behind the firewall instead of outside. It also means that you are stuck using the 3005's filtering capabilities to filter VPN clients and tunnels, which are sub par (to be kind). This may be preferable to using router ACL's to secure your T1, but that's a judgment call for your organization to make. So, I guess it's another option, but I'd stop short of calling it "better." The better option would be to replace the current firewall/VPN gear with devices that are designed for this type of failover scenario. :-\ PaulM -----Original Message----- Subject: [fw-wiz] L2L VPN redundancy for T1 link We have a remote office (site B) to which we have a T1 link (from site A). The routers on each side of this T1 are Cisco 2811's, and they reside internal on our trusted networks, talking EIGRP to our other internal routers on both sides. We currently have a site to site VPN connection between our firewalls, and the firewall on each side is the default route from the internal networks, so if the T1 goes down, the site A <-> site B traffic fails over to this L2L VPN, without any routing protocol needed on the firewall. We also have a Cisco VPN3005 on a RAS leg of our firewall, for users to connect from home and while traveling. I do plan to move the L2L VPN to be terminated on these at some point, though right now that is not the case (it is currently terminated on the firewalls). Site B has essentially the same gear (VPN3005 going in soon). A hopefully helpful diagram: Internet | | | +--------------+ | | | | | VPN3005 | +------------+ Concentrator | | | | | +-----+--------+ | | +------+------+ | | | | | | | | Firewall +-----------+----- | | RAS Network | | +------+------+ | | | +------+------+ | | | Internal | T1 to site B | T1 Router +-----------------------> | 2811 | | | +-------------+ The issue is that right now, when users connect with a VPN client to the site A VPN3005, they cannot access network resources at site B, and vice versa (since, on the firewall, the route to site B would be through the L2L VPN rather than towards the internal network where the T1 router resides). When we move the L2L VPN over to the 3005's, then I presume when a client connects to site A's VPN3005 and tries to access the network at site B, the traffic will go across the L2L VPN. However, the performance of this is spotty, and we'd really like to be able to have this traffic go across the T1 instead. We would like to: - Configure it such that traffic from VPN clients to the opposite site will go across the T1 link. - Still retain the L2L VPN as a failover for the T1 between A and B. - If possible, not have a single point of failure for the link between A and B. It seems relatively simple to satisfy the first two requirements, but I'm failing to see a good way to satisfy them all. One possibility: Connect an interface from the internal T1 router (a 2811) directly to the Internet network, bypassing the firewall (and do the same at site B). Set up the L2L VPN on these routers, and then if the T1 fails it will simply fail over to the VPN, terminated on the same box. PRO: Simple (KISS principle) - all data between site A and site B go through these routers regardless of whether the T1 is up or down. No routing protocols needed. CON: Adding a device directly on the Internet which bypasses our firewall. A misconfiguration in the ACLs could allow traffic in or out to the Internet which might have otherwise been stopped by the firewall. I've been whiteboarding other options, but they all either seem to require the firewall to speak a routing protocol, or have a single point of failure in the T1 routers. I'm fairly comfortable living with the latter, but I just want to make sure I'm not missing something here. Are there better options I am missing? Thank you! johnS _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- Re: L2L VPN redundancy for T1 link John Kougoulos (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 20)
- RE: L2L VPN redundancy for T1 link Paul Melson (Apr 20)
- <Possible follow-ups>
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Stewart, John (Apr 20)
- RE: L2L VPN redundancy for T1 link Sanford Reed (Apr 21)