Solved

Site to Site VPN - Firewall vs Router

Posted on 2013-11-24
15
497 Views
Last Modified: 2013-11-26
Hello, all.

I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.

We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.

In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.

My question is that which will be the best way to configure VPN as a backup route.

First one is to configure the VPN between the two firewalls from/to datacenter and the remote office.  This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.

Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks.  The datacenter has Cisco 1921 and the remote office has Cisco 891.  

I would like to go with the second option but I wanted to ask for your opinion on this.

Thanks!!!!
0
Comment
Question by:Infamus
  • 7
  • 3
  • 3
  • +1
15 Comments
 
LVL 12

Author Comment

by:Infamus
ID: 39672753
In the datacenter, both MPLS and Internet is 100Mb so the bandwidth is not an issue here.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39673760
Your difficulty lies in the fact that the MPLS link is on the router while your VPN is on the firewall.

Be cause the two are not on the same device a backup failover setup is not available .

The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.

In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
0
 
LVL 12

Author Comment

by:Infamus
ID: 39673797
Sorry, I'm not asking for a failover senario here and I know how to setup redundancy.

I don't quite get what you are saying, no offense though.

Thanks.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39674301
What is your question?

Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 39674744
"My question is that which will be the best way to configure VPN as a backup route."


Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.


harbor235 ;}
0
 
LVL 12

Author Comment

by:Infamus
ID: 39674891
Site to Site VPN - Firewall vs Router

Thanks guys, but I'm not asking for how to create a backup route.

I presented two options, VPN through Firewall or Router and I am asking which method is more effective.  As my subject says, "Firewall Vs Router".
0
 
LVL 32

Expert Comment

by:harbor235
ID: 39674920
Depends on your requirements, VPN is great for data protection if needed. However, if you have two routes to a destination why not have dynamic failure to keep access to a remote site up in more failure scenarios.

So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....

However, you will need to assesses you business requirements and make the appropriate decision .


harbor235 ;}
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 12

Author Comment

by:Infamus
ID: 39674959
Yes, my hardware will support the VPN traffice, both Firewalls and Routers and yes I am able to manage either solutions.

Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.

My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.

This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.

However, you will need to assesses you business requirements and make the appropriate decision .
What do you mena by this?  Can you give me some examples?

Why would using Firewall or Router differ depending on business requirements?  

Thanks.
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 100 total points
ID: 39675171
There is no black and white answer here, it will depend. It will depend on your architecture, your security requirements and any business considerations.

From a security perspective I would like to inspect the traffic coming into my network. How do I archive that when the data is encrypted? One answer is to decrypt the traffic before traversing the Firewall/IDS/IDP systems so that all traffic can be inspected. For VPN termination and increased security you can use a dedicated VPN device, the router, the firewall, etc... Many different IT professionals will have different solutions, but in my opinion you want the traffic decrypted before it enters your network to interact with business resources.


harbor235 -}
0
 
LVL 12

Author Comment

by:Infamus
ID: 39675191
Thanks, harbor.

The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)

I guess this is more of a personal preferences.

I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.

Thanks.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39675404
Infamus,

The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further.  Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.

As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
          MPLS \           /  VPN Firewall to pass MPLS sourced traffic \
intenet <=>   Router  <=======================>           Firewall <=> lan
     \ <VPN to MPLS>/
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 400 total points
ID: 39678009
It's not clear to me how you do this:
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks.  The datacenter has Cisco 1921 and the remote office has Cisco 891.
Well, I do understand the "remote office internet router" part of it but I'm unclear as to the:
VPN between the Datacenter MPLS router
This latter connection would have to flow through the main office firewall would it not?  You may be able to do that, i.e. you may know how to do that, but I sense it's fraught with issues.  I don't know how to do that but don't let me stop you on that account.  :-)

In the other approach you say:
This will utilize the internet circuit from both locations and
Well, BOTH approaches will utilize the internet circuit from both locations.... it's the only one that's present at the time this is needed.  I only mention this in case there's any confusion on my part.

I would choose
configure the VPN between the two firewalls
because it's straightforward and understandable ( perhaps for others who have to maintain the system after you get hit by the proverbial bus).
0
 
LVL 12

Author Comment

by:Infamus
ID: 39678134
Yeah, I'm leaning towards "firewall to firewall" solution now...

Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose.  They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter.  (I don't know how that is possible either but it was an option that they provided)

I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.

Thanks.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39678194
Why does that option make me nervous about trusting the ISP?  That is, needing to?
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
0
 
LVL 12

Author Comment

by:Infamus
ID: 39678245
Maybe they were refering to VPN connection between datacenter internet router and remote location internet router, which makes more sense.

Thanks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now