Solved

Site to Site VPN - Firewall vs Router

Posted on 2013-11-24
15
493 Views
Last Modified: 2013-11-26
Hello, all.

I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.

We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.

In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.

My question is that which will be the best way to configure VPN as a backup route.

First one is to configure the VPN between the two firewalls from/to datacenter and the remote office.  This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.

Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks.  The datacenter has Cisco 1921 and the remote office has Cisco 891.  

I would like to go with the second option but I wanted to ask for your opinion on this.

Thanks!!!!
0
Comment
Question by:Infamus
  • 7
  • 3
  • 3
  • +1
15 Comments
 
LVL 12

Author Comment

by:Infamus
Comment Utility
In the datacenter, both MPLS and Internet is 100Mb so the bandwidth is not an issue here.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Your difficulty lies in the fact that the MPLS link is on the router while your VPN is on the firewall.

Be cause the two are not on the same device a backup failover setup is not available .

The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.

In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
0
 
LVL 12

Author Comment

by:Infamus
Comment Utility
Sorry, I'm not asking for a failover senario here and I know how to setup redundancy.

I don't quite get what you are saying, no offense though.

Thanks.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
What is your question?

Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
"My question is that which will be the best way to configure VPN as a backup route."


Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.


harbor235 ;}
0
 
LVL 12

Author Comment

by:Infamus
Comment Utility
Site to Site VPN - Firewall vs Router

Thanks guys, but I'm not asking for how to create a backup route.

I presented two options, VPN through Firewall or Router and I am asking which method is more effective.  As my subject says, "Firewall Vs Router".
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility
Depends on your requirements, VPN is great for data protection if needed. However, if you have two routes to a destination why not have dynamic failure to keep access to a remote site up in more failure scenarios.

So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....

However, you will need to assesses you business requirements and make the appropriate decision .


harbor235 ;}
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Author Comment

by:Infamus
Comment Utility
Yes, my hardware will support the VPN traffice, both Firewalls and Routers and yes I am able to manage either solutions.

Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.

My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.

This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.

However, you will need to assesses you business requirements and make the appropriate decision .
What do you mena by this?  Can you give me some examples?

Why would using Firewall or Router differ depending on business requirements?  

Thanks.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 100 total points
Comment Utility
There is no black and white answer here, it will depend. It will depend on your architecture, your security requirements and any business considerations.

From a security perspective I would like to inspect the traffic coming into my network. How do I archive that when the data is encrypted? One answer is to decrypt the traffic before traversing the Firewall/IDS/IDP systems so that all traffic can be inspected. For VPN termination and increased security you can use a dedicated VPN device, the router, the firewall, etc... Many different IT professionals will have different solutions, but in my opinion you want the traffic decrypted before it enters your network to interact with business resources.


harbor235 -}
0
 
LVL 12

Author Comment

by:Infamus
Comment Utility
Thanks, harbor.

The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)

I guess this is more of a personal preferences.

I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.

Thanks.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Infamus,

The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further.  Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.

As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
          MPLS \           /  VPN Firewall to pass MPLS sourced traffic \
intenet <=>   Router  <=======================>           Firewall <=> lan
     \ <VPN to MPLS>/
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 400 total points
Comment Utility
It's not clear to me how you do this:
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks.  The datacenter has Cisco 1921 and the remote office has Cisco 891.
Well, I do understand the "remote office internet router" part of it but I'm unclear as to the:
VPN between the Datacenter MPLS router
This latter connection would have to flow through the main office firewall would it not?  You may be able to do that, i.e. you may know how to do that, but I sense it's fraught with issues.  I don't know how to do that but don't let me stop you on that account.  :-)

In the other approach you say:
This will utilize the internet circuit from both locations and
Well, BOTH approaches will utilize the internet circuit from both locations.... it's the only one that's present at the time this is needed.  I only mention this in case there's any confusion on my part.

I would choose
configure the VPN between the two firewalls
because it's straightforward and understandable ( perhaps for others who have to maintain the system after you get hit by the proverbial bus).
0
 
LVL 12

Author Comment

by:Infamus
Comment Utility
Yeah, I'm leaning towards "firewall to firewall" solution now...

Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose.  They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter.  (I don't know how that is possible either but it was an option that they provided)

I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.

Thanks.
0
 
LVL 25

Expert Comment

by:Fred Marshall
Comment Utility
Why does that option make me nervous about trusting the ISP?  That is, needing to?
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
0
 
LVL 12

Author Comment

by:Infamus
Comment Utility
Maybe they were refering to VPN connection between datacenter internet router and remote location internet router, which makes more sense.

Thanks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now