WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!
Solved
Site to Site VPN - Firewall vs Router
Posted on 2013-11-24
Hello, all.
I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.
We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.
In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.
My question is that which will be the best way to configure VPN as a backup route.
First one is to configure the VPN between the two firewalls from/to datacenter and the remote office. This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.
I would like to go with the second option but I wanted to ask for your opinion on this.
Thanks!!!!
I need some advice on configuring site to site VPN tunnel between our datacenter and a remote office.
We currently have Fortinet firewalls on all of our remote offices including the datacenter and already configured a few IPSec VPN tunnels between the datacenter and a small offices that are not connected to our MPLS network.
In this senario, I have a remote office which has MPLS and seperate Internet circuit and I want to create a backup route in case the MPLS at this remote office goes down.
My question is that which will be the best way to configure VPN as a backup route.
First one is to configure the VPN between the two firewalls from/to datacenter and the remote office. This will utilize the internet circuit from both locations and all the routing will be handled by the firewalls in between the MPLS sites through the datacenter.
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.
I would like to go with the second option but I wanted to ask for your opinion on this.
Thanks!!!!
-
7
-
3
3- +1
15 Comments
Active today
Your difficulty lies in the fact that the MPLS link is on the router while your VPN is on the firewall.
Be cause the two are not on the same device a backup failover setup is not available .
The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.
In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
Be cause the two are not on the same device a backup failover setup is not available .
The VPN on the firewall will mean all inter MPLS destined network will always travel via the VPN until the external connection drops.
In your scenario the VPN needs to be on the router side such that the VPN only establishes when MPLS connection drops.
Sorry, I'm not asking for a failover senario here and I know how to setup redundancy.
I don't quite get what you are saying, no offense though.
Thanks.
I don't quite get what you are saying, no offense though.
Thanks.
Active today
What is your question?
Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
Re-reading your question it seems that you are asking which approach to use to effectively create a backup at a location that has MPLS for a time when the MPLS goes down.
"My question is that which will be the best way to configure VPN as a backup route."
Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.
harbor235 ;}
Routing is the solution, you have two routes to the destination, one is over MPLS and the other is via a VPN tunnel. You can achieve this by setting a higher metric on the VPN path. Prefer the MPLS path and if the MPLS route is down/withdrawn your routing protocol ( if you have one) with dynamically reroute traffic over the VPN path.
harbor235 ;}
Site to Site VPN - Firewall vs Router
Thanks guys, but I'm not asking for how to create a backup route.
I presented two options, VPN through Firewall or Router and I am asking which method is more effective. As my subject says, "Firewall Vs Router".
Depends on your requirements, VPN is great for data protection if needed. However, if you have two routes to a destination why not have dynamic failure to keep access to a remote site up in more failure scenarios.
So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....
However, you will need to assesses you business requirements and make the appropriate decision .
harbor235 ;}
So, in the end one is as good as the other from a routing perspective. Additional items to consider are complexity, management, do I have resources available to manage both solutions? Will my hardware support the VPN traffic? etc ....
However, you will need to assesses you business requirements and make the appropriate decision .
harbor235 ;}
Yes, my hardware will support the VPN traffice, both Firewalls and Routers and yes I am able to manage either solutions.
Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.
My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.
This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.
Why would using Firewall or Router differ depending on business requirements?
Thanks.
Creating VPN tunnel is not an issue here, configuring failover is not an issue here and managing the device is not an issue here.
My main question is which will be more efficient VPN solution, using firewall as VPN or using router as VPN tunnel.
This is not "how to" question and it is more like choosing which method is preferred or best practices in this senario.
However, you will need to assesses you business requirements and make the appropriate decision .What do you mena by this? Can you give me some examples?
Why would using Firewall or Router differ depending on business requirements?
Thanks.
There is no black and white answer here, it will depend. It will depend on your architecture, your security requirements and any business considerations.
From a security perspective I would like to inspect the traffic coming into my network. How do I archive that when the data is encrypted? One answer is to decrypt the traffic before traversing the Firewall/IDS/IDP systems so that all traffic can be inspected. For VPN termination and increased security you can use a dedicated VPN device, the router, the firewall, etc... Many different IT professionals will have different solutions, but in my opinion you want the traffic decrypted before it enters your network to interact with business resources.
harbor235 -}
From a security perspective I would like to inspect the traffic coming into my network. How do I archive that when the data is encrypted? One answer is to decrypt the traffic before traversing the Firewall/IDS/IDP systems so that all traffic can be inspected. For VPN termination and increased security you can use a dedicated VPN device, the router, the firewall, etc... Many different IT professionals will have different solutions, but in my opinion you want the traffic decrypted before it enters your network to interact with business resources.
harbor235 -}
Thanks, harbor.
The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)
I guess this is more of a personal preferences.
I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.
Thanks.
The security is not an issue here as well since all internet traffic including VPN will go through the firewalls whether I setup VPN on the firewall or the router. (both datacenter and remote)
I guess this is more of a personal preferences.
I'm going to leave this thread open for a couple of days in case someone wants to add their comments and I will close it then.
Thanks.
Active today
Infamus,
The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further. Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.
As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
MPLS \ / VPN Firewall to pass MPLS sourced traffic \
intenet <=> Router <=======================> Firewall <=> lan
\ <VPN to MPLS>/
The VPN in harbor scenario is a policy based acl i.e. traffic within the VPN is not automatically treated as trusted. The traffic is decrypted and then checked against an ACL to see whether or not to allow it further. Have not dealt with a fortinet firewall in quite a long time, so can not say whether it has this capability.
As far as an MPLS/VPN terminating on the router would require a VPN between the local router and the firewall behind it to pass this "trusted" traffic through to the firewall without the need to open firewall (WAN/outside side to allow MPLS sourced traffic)
MPLS \ / VPN Firewall to pass MPLS sourced traffic \
intenet <=> Router <=======================> Firewall <=> lan
\ <VPN to MPLS>/
Active today
It's not clear to me how you do this:
In the other approach you say:
I would choose
Second one is to configure IPSec VPN between the Datacenter MPLS router and remote office internet router using BGP for the routing between all MPLS networks. The datacenter has Cisco 1921 and the remote office has Cisco 891.Well, I do understand the "remote office internet router" part of it but I'm unclear as to the:
VPN between the Datacenter MPLS routerThis latter connection would have to flow through the main office firewall would it not? You may be able to do that, i.e. you may know how to do that, but I sense it's fraught with issues. I don't know how to do that but don't let me stop you on that account. :-)
In the other approach you say:
This will utilize the internet circuit from both locations andWell, BOTH approaches will utilize the internet circuit from both locations.... it's the only one that's present at the time this is needed. I only mention this in case there's any confusion on my part.
I would choose
configure the VPN between the two firewallsbecause it's straightforward and understandable ( perhaps for others who have to maintain the system after you get hit by the proverbial bus).
Yeah, I'm leaning towards "firewall to firewall" solution now...
Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose. They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter. (I don't know how that is possible either but it was an option that they provided)
I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.
Thanks.
Both internet and MPLS are provided by the same IPS and they have a vpn package which I can choose. They told me that they are able to create a VPN tunnel from my remote site using internet circuit to one of the router in our MPLS cloud which is our datacenter. (I don't know how that is possible either but it was an option that they provided)
I know it is the best practice to have a seperate MPLS circuit from different ISP is ideal but with the given options, it is not possible at this time.
Thanks.
Active today
Why does that option make me nervous about trusting the ISP? That is, needing to?
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
Some would want to have their MPLS traffic on a VPN for that reason.....
I don't know what common practice is.
Featured Post
In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
In the hope of saving someone else's sanity...
About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month6 days, 15 hours left to enroll
589 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.