Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
Site to Site VPN - Firewall vs Router
Hello, all.
I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.
We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.
In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.
My question is that which will be the best way to configure VPN as a backup route.
First one is to configure the VPN between the two firewalls from/to datacenter and the remote office. This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.
I would like to go with the second option but I wanted to ask for your opinion on this.
Thanks!!!!
I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.
We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.
In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.
My question is that which will be the best way to configure VPN as a backup route.
First one is to configure the VPN between the two firewalls from/to datacenter and the remote office. This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.
I would like to go with the second option but I wanted to ask for your opinion on this.
Thanks!!!!
Asked:
Who is Participating?
Your difficulty lies in the fact that the MPLS link is on the router while your VPN is on the firewall.
Be cause the two are not on the same device a backup failover setup is not available .
The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.
In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
Be cause the two are not on the same device a backup failover setup is not available .
The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.
In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
Sorry, I'm not asking for a failover senario here and I know how to setup redundancy.
I don't quite get what you are saying, no offense though.
Thanks.
I don't quite get what you are saying, no offense though.
Thanks.
What is your question?
Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
"My question is that which will be the best way to configure VPN as a backup route."
Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.
harbor235 ;}
Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.
harbor235 ;}
Site to Site VPN - Firewall vs Router
Thanks guys, but I'm not asking for how to create a backup route.
I presented two options, VPN through Firewall or Router and I am asking which method is more effective. As my subject says, "Firewall Vs Router".
Depends on your requirements, VPN is great for data protection if needed. However, if you have two routes to a destination why not have dynamic failure to keep access to a remote site up in more failure scenarios.
So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....
However, you will need to assesses you business requirements and make the appropriate decision .
harbor235 ;}
So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....
However, you will need to assesses you business requirements and make the appropriate decision .
harbor235 ;}
Yes, my hardware will support the VPN traffice, both Firewalls and Routers and yes I am able to manage either solutions.
Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.
My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.
This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.
Why would using Firewall or Router differ depending on business requirements?
Thanks.
Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.
My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.
This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.
However, you will need to assesses you business requirements and make the appropriate decision .What do you mena by this? Can you give me some examples?
Why would using Firewall or Router differ depending on business requirements?
Thanks.
There is no black and white answer here, it will depend. It will depend on your architecture, your security requirements and any business considerations.
From a security perspective I would like to inspect the traffic coming into my network. How do I archive that when the data is encrypted? One answer is to decrypt the traffic before traversing the Firewall/IDS/IDP systems so that all traffic can be inspected. For VPN termination and increased security you can use a dedicated VPN device, the router, the firewall, etc... Many different IT professionals will have different solutions, but in my opinion you want the traffic decrypted before it enters your network to interact with business resources.
harbor235 -}
From a security perspective I would like to inspect the traffic coming into my network. How do I archive that when the data is encrypted? One answer is to decrypt the traffic before traversing the Firewall/IDS/IDP systems so that all traffic can be inspected. For VPN termination and increased security you can use a dedicated VPN device, the router, the firewall, etc... Many different IT professionals will have different solutions, but in my opinion you want the traffic decrypted before it enters your network to interact with business resources.
harbor235 -}
Thanks, harbor.
The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)
I guess this is more of a personal preferences.
I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.
Thanks.
The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)
I guess this is more of a personal preferences.
I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.
Thanks.
Infamus,
The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further. Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.
As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
MPLS \ / VPN Firewall to pass MPLS sourced traffic \
intenet <=> Router <=======================> Firewall <=> lan
\ <VPN to MPLS>/
The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further. Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.
As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
MPLS \ / VPN Firewall to pass MPLS sourced traffic \
intenet <=> Router <=======================> Firewall <=> lan
\ <VPN to MPLS>/
Yeah, I'm leaning towards "firewall to firewall" solution now...
Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose. They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter. (I don't know how that is possible either but it was an option that they provided)
I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.
Thanks.
Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose. They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter. (I don't know how that is possible either but it was an option that they provided)
I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.
Thanks.
Why does that option make me nervous about trusting the ISP? That is, needing to?
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
Well, I do understand the "remote office internet router" part of it but I'm unclear as to the: This latter connection would have to flow through the main office firewall would it not? You may be able to do that, i.e. you may know how to do that, but I sense it's fraught with issues. I don't know how to do that but don't let me stop you on that account. :-)
In the other approach you say: Well, BOTH approaches will utilize the internet circuit from both locations.... it's the only one that's present at the time this is needed. I only mention this in case there's any confusion on my part.
I would choose because it's straightforward and understandable ( perhaps for others who have to maintain the system after you get hit by the proverbial bus).