Site to Site to Site VPN with McAfee Enterprise Firewalls

I have a client with multiple locations and a primary hub we'll call that MAIN. They would like to implement a solution that if their primary location (MAIN) were to have some type of natural disaster they want to be able to reroute all traffic to their offsite DR location which hosts copies of their VMs/Servers/Apps/Etc...

They have their own DR (MAIN DR) site that all sites will route traffic through to the OFFSITE DR so instead of creating a VPN connection from all separate sites to the OFFSITE DR they want to have all sites route traffic through their MAIN DR to the OFFSITE DR. We tried to test this last week but ran into a snag.

SECONDARY SITE (10.0.10.0) <===VPN IPSEC===> MAIN DR (10.0.11.0) <====VPN IPSEC===> OFFSITE DR (10.0.12.0)

The VPN from MAIN DR to OFFSITE DR worked flawlessly, we could get to the backup servers and all services/apps worked without issues. Where we ran into trouble was getting the secondary site up and running. We could communicate back and forth from SECONDARY SITE to MAIN DR but no further.

My question is does the OFFSITE DR need to have the SECONDARY SITE subnet listed in the presented VPNs for traffic to flow properly? Or do I need to setup static routes from SECONDARY SITE to OFFSITE DR? I'm sure this is pretty basic but unfortunately it sort of got dropped in my lap last minute.

Just to be clear IF the MAIN went down. They want to then be able to enable a VPN from the MAIN DR to OFFSITE DR and from the separate sites enable a VPN to the MAIN DR that will give them access to the resources at the OFFSITE DR.

In case I have not explained it well I tried to give a better explanation/diagram below.

Currently 13 locations connect into the MAIN for resources. Every night the servers get copied to the OFFSITE DR site (in another state). The idea is that IF the main site were to burn down, lose power, or any other natural disaster, the 13 locations could enable their VPN to the MAIN DR firewall which is connected to the OFFSITE DR site and continue to work normally. What we do to test is disconnect the VPN from one location to the MAIN and enable to VPN from that location to the MAIN DR. The VPNs come up fine, but from that location you cannot access any resources at the OFFSITE DR. So the path of data should be like this

SECONDARY SITE =====> MAIN DR =====> OFFSITE DR

and

OFFSITE DR =====> MAIN DR =====> SECONDARY SITE

Currently when testing I get this

SECONDARY SITE <====> MAIN DR <=====> OFFSITE DR

SECONDARY SITE <xxxx> OFFSITE DR

Sorry for the poor diagram, but basically I can't get to any of the resources at the OFFSITE DR from the SECONDARY SITE.

I also realize I could just create a tunnel from SECONDARY SITE directly to OFFSITE DR and have it work, but for auditing purposes all traffic needs to run through the MAIN DR to get to the OFFSITE DR.
LVL 3
dshroutaitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Anthony CarterCommented:
MAIN DR site needs to know about all subnets and have firewalls and ACLs configured to allow packets from SECONDARY SITE through its other tunnel and from OFFSITE DR back through the SECONDARY SITE tunnel.

To simplify I am going to call it site1 - sitem - site2

You don't mention what you are using for the tunnels other than site-2-site.  I can create multiple site-2-site tunnels on my edge gateway, but I still need to allow the flow of packets.

So my procedure would probably be:

1) Get site1 to sitem working.
2) Get site2 to sitem working.
3) Not sure what you are using for site-2-site, but with IPSec in Phase 2 Selectors, you define the Local IP address and the Remote IP address of the IPSec tunnel (either range or named addresses etc.).  Now, I still need to command my firewall to accept traffic from site1 Subnet through to Site2 Subnet aswell as Site1 Subnet through to Sitem subnet, otherwise it will just stop in Sitem with dropped packets.  You also need a return, Site2 through to Site1 and Site2 through to Sitem.

So for example, I have rules that say:

Incoming Interface: VPN Tunnel Interface
Source Address: Site1 Subnet
Outgoing Interface: Site2 Interface
Service: ALL | HTTP etc.
Action: Allow

Now, this becomes more complicated if they don't all come into the same device.  If you are using 2 different gateways, you essentially have to specify the rules on both but ALSO add a route from one gateway to the other by way of static route:

site1 subnet -> next hop -> gateway2site2
site2 subnet -> next hop -> gateway2site1

You also don't mention if these are VLANs or not.  Switch based ACLs may also be blocking you if these are VLANs.
dshroutaitAuthor Commented:
Sorry for the lack of details. You are correct in assuming they are IPSEC site to site connections. Currently when enabling the VPN from site1 to sitem that connection works, when enabling the VPN from site m to site 2 that connection works as well. My issue is I cannot pass traffic from site 1 to site 2, the catch is it HAS to run through site m for auditing purposes.

No vlans. These are three /24 networks (10.0.0.1, 10.0.1.1, 10.0.2.1). Each site has its own McAfee Enterprise Firewall and dedicated connection.
Anthony CarterCommented:
Hi,

Ok, so what I understand is:

site1 (10.0.0.0)
sitem (10.0.1.0)
site2 (10.0.2.0)

You have tunnels:
10.0.0.0/24 -> 10.0.1.0/24
10.0.1.0/24 -> 10.0.2.0/24

Both those tunnels work, but 10.0.0.0/24 can't talk to 10.0.2.0/24
The tunnels have a "name", something like ipk_TUN-site1, ipk_TUN-site2.

So you add a static route (at MAIN) that defines
10.0.2.0/24 to go out the ipk_TUN-site2 tunnel (just the device name in my edge devices, essentially the exit device).
10.0.0.0/24 to go out the ipk_TUN-site1 tunnel.

You also need a static routes on site1 to tell it to go through ipk_TUN-site1 tunnel (unless all traffic is going down this tunnel):
10.0.2.0/24 to go out the ipk_TUN-site1
10.0.1.0/24 to go out the ipk_TUN-site1

And site2:
10.0.0.0/24 to go through ipk_TUN-site2
10.0.1.0/24 to go through ipk_TUN-site2

You then have to configure the device to "Allow" traffic from subnet site1 to subnet site2 and subnet site2 to subnet site1 (you probably did this already for subnet site1 to subnet sitem, subnet sitem to subnet site1 and the same 2 for site2.)

This is the command, if it helps you understand, in the majority of cases (for site2, first entry above):

ip route 10.0.0.0 255.255.255.0 ipk_TUN-site2

Please make sure you have configured the FIREWALL in the device to allow subnet 10.0.0.0/24 to talk to 10.0.2.0/24 and vice-versa as needed.
dshroutaitAuthor Commented:
Unfortunately with these devices I am unable to specify the VPN name for the static route. I can specify the destination and gateway. Could I specify the 10.0.0.0/24 and use the gateway of the device? For instance

Site 1
ip route 10.0.0.0 255.255.255.0 site2gw

Site 2
ip route 10.0.2.0 255.255.255.0 site1gw
Anthony CarterCommented:
Hi,

I don't know the model of the device nor the version of the OS you are using to be able to confirm your commands.

However, Site1
ip route 10.0.2.0 255.255.255.0 site1Tunnel

Site 2
ip route 10.0.0.0 255.255.255.0 site2Tunnel

You are configuring site 1 to know that if it needs to get to Site 2 that it must go through the tunnel to SiteM.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.