Infamus
asked on
Site to Site VPN - Firewall vs Router
Hello, all.
I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.
We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.
In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.
My question is that which will be the best way to configure VPN as a backup route.
First one is to configure the VPN between the two firewalls from/to datacenter and the remote office. This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.
I would like to go with the second option but I wanted to ask for your opinion on this.
Thanks!!!!
I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.
We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.
In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.
My question is that which will be the best way to configure VPN as a backup route.
First one is to configure the VPN between the two firewalls from/to datacenter and the remote office. This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.
I would like to go with the second option but I wanted to ask for your opinion on this.
Thanks!!!!
Your difficulty lies in the fact that the MPLS link is on the router while your VPN is on the firewall.
Be cause the two are not on the same device a backup failover setup is not available .
The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.
In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
Be cause the two are not on the same device a backup failover setup is not available .
The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.
In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
ASKER
Sorry, I'm not asking for a failover senario here and I know how to setup redundancy.
I don't quite get what you are saying, no offense though.
Thanks.
I don't quite get what you are saying, no offense though.
Thanks.
What is your question?
Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
"My question is that which will be the best way to configure VPN as a backup route."
Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.
harbor235 ;}
Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.
harbor235 ;}
ASKER
Site to Site VPN - Firewall vs Router
Thanks guys, but I'm not asking for how to create a backup route.
I presented two options, VPN through Firewall or Router and I am asking which method is more effective. As my subject says, "Firewall Vs Router".
Depends on your requirements, VPN is great for data protection if needed. However, if you have two routes to a destination why not have dynamic failure to keep access to a remote site up in more failure scenarios.
So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....
However, you will need to assesses you business requirements and make the appropriate decision .
harbor235 ;}
So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....
However, you will need to assesses you business requirements and make the appropriate decision .
harbor235 ;}
ASKER
Yes, my hardware will support the VPN traffice, both Firewalls and Routers and yes I am able to manage either solutions.
Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.
My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.
This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.
Why would using Firewall or Router differ depending on business requirements?
Thanks.
Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.
My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.
This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.
However, you will need to assesses you business requirements and make the appropriate decision .What do you mena by this? Can you give me some examples?
Why would using Firewall or Router differ depending on business requirements?
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, harbor.
The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)
I guess this is more of a personal preferences.
I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.
Thanks.
The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)
I guess this is more of a personal preferences.
I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.
Thanks.
Infamus,
The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further. Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.
As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
MPLS \ / VPN Firewall to pass MPLS sourced traffic \
intenet <=> Router <=======================> Firewall <=> lan
\ <VPN to MPLS>/
The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further. Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.
As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
MPLS \ / VPN Firewall to pass MPLS sourced traffic \
intenet <=> Router <=======================> Firewall <=> lan
\ <VPN to MPLS>/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I'm leaning towards "firewall to firewall" solution now...
Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose. They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter. (I don't know how that is possible either but it was an option that they provided)
I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.
Thanks.
Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose. They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter. (I don't know how that is possible either but it was an option that they provided)
I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.
Thanks.
Why does that option make me nervous about trusting the ISP? That is, needing to?
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
ASKER
Maybe they were refering to VPN connection between datacenter internet router and remote location internet router, which makes more sense.
Thanks.
Thanks.
ASKER