Avatar of dshroutait
dshroutait
 asked on

Site to Site to Site VPN with McAfee Enterprise Firewalls

I have a client with multiple locations and a primary hub we'll call that MAIN. They would like to implement a solution that if their primary location (MAIN) were to have some type of natural disaster they want to be able to reroute all traffic to their offsite DR location which hosts copies of their VMs/Servers/Apps/Etc...

They have their own DR (MAIN DR) site that all sites will route traffic through to the OFFSITE DR so instead of creating a VPN connection from all separate sites to the OFFSITE DR they want to have all sites route traffic through their MAIN DR to the OFFSITE DR. We tried to test this last week but ran into a snag.

SECONDARY SITE (10.0.10.0) <===VPN IPSEC===> MAIN DR (10.0.11.0) <====VPN IPSEC===> OFFSITE DR (10.0.12.0)

The VPN from MAIN DR to OFFSITE DR worked flawlessly, we could get to the backup servers and all services/apps worked without issues. Where we ran into trouble was getting the secondary site up and running. We could communicate back and forth from SECONDARY SITE to MAIN DR but no further.

My question is does the OFFSITE DR need to have the SECONDARY SITE subnet listed in the presented VPNs for traffic to flow properly? Or do I need to setup static routes from SECONDARY SITE to OFFSITE DR? I'm sure this is pretty basic but unfortunately it sort of got dropped in my lap last minute.

Just to be clear IF the MAIN went down. They want to then be able to enable a VPN from the MAIN DR to OFFSITE DR and from the separate sites enable a VPN to the MAIN DR that will give them access to the resources at the OFFSITE DR.

In case I have not explained it well I tried to give a better explanation/diagram below.

Currently 13 locations connect into the MAIN for resources. Every night the servers get copied to the OFFSITE DR site (in another state). The idea is that IF the main site were to burn down, lose power, or any other natural disaster, the 13 locations could enable their VPN to the MAIN DR firewall which is connected to the OFFSITE DR site and continue to work normally. What we do to test is disconnect the VPN from one location to the MAIN and enable to VPN from that location to the MAIN DR. The VPNs come up fine, but from that location you cannot access any resources at the OFFSITE DR. So the path of data should be like this

SECONDARY SITE =====> MAIN DR =====> OFFSITE DR

and

OFFSITE DR =====> MAIN DR =====> SECONDARY SITE

Currently when testing I get this

SECONDARY SITE <====> MAIN DR <=====> OFFSITE DR

SECONDARY SITE <xxxx> OFFSITE DR

Sorry for the poor diagram, but basically I can't get to any of the resources at the OFFSITE DR from the SECONDARY SITE.

I also realize I could just create a tunnel from SECONDARY SITE directly to OFFSITE DR and have it work, but for auditing purposes all traffic needs to run through the MAIN DR to get to the OFFSITE DR.
Hardware FirewallsRoutersVPNInternet Protocol SecurityNetwork Security

Avatar of undefined
Last Comment
Anthony Carter

8/22/2022 - Mon
SOLUTION
Anthony Carter

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
dshroutait

ASKER
Sorry for the lack of details. You are correct in assuming they are IPSEC site to site connections. Currently when enabling the VPN from site1 to sitem that connection works, when enabling the VPN from site m to site 2 that connection works as well. My issue is I cannot pass traffic from site 1 to site 2, the catch is it HAS to run through site m for auditing purposes.

No vlans. These are three /24 networks (10.0.0.1, 10.0.1.1, 10.0.2.1). Each site has its own McAfee Enterprise Firewall and dedicated connection.
SOLUTION
Anthony Carter

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
dshroutait

ASKER
Unfortunately with these devices I am unable to specify the VPN name for the static route. I can specify the destination and gateway. Could I specify the 10.0.0.0/24 and use the gateway of the device? For instance

Site 1
ip route 10.0.0.0 255.255.255.0 site2gw

Site 2
ip route 10.0.2.0 255.255.255.0 site1gw
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck