Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

IPsec VPN Question

  • 26-11-2015 9:15pm
    #1
    Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭


    Curious to know if the following is possible. The Network will look something like

    HQFW1 - HQFWMAIN - INTERNET

    All traffic must pass via the HQ Main Firewall. So, Traffic enters the main FW and a specific subnet is routed to the HQ-FW1. FW1 then creates the VPN and routes back to the main Firewall as that is the internet breakout

    Is this possible and how would I go about it? I'm not looking for configs or anything like that just a general idea.

    Thanks


Comments

  • Registered Users, Registered Users 2 Posts: 14,012 ✭✭✭✭Cuddlesworth


    You can do it but I'm not sure why you would do it. Encapsulating traffic within a VPN is costly in terms of performance and from what you have described, you are encrypting traffic across your own network?


  • Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭T-K-O


    You can do it but I'm not sure why you would do it. Encapsulating traffic within a VPN is costly in terms of performance and from what you have described, you are encrypting traffic across your own network?

    The full picture should look like

    HQFW1 - HQFWMAIN - INTERNET - ClientFirewall

    I guess traffic will be encrypted between FW1 and HQFW on the way out. The requirement is a site to site VPN between HQFW1 - Client Firewall.

    I have no issue configuring the VPN but how do I pass the traffic through the Main Firewall... is it as simple as a static route?


  • Registered Users, Registered Users 2 Posts: 14,012 ✭✭✭✭Cuddlesworth


    T-K-O wrote: »
    The full picture should look like

    HQFW1 - HQFWMAIN - INTERNET - ClientFirewall

    I guess traffic will be encrypted between FW1 and HQFW on the way out. The requirement is a site to site VPN between HQFW1 - Client Firewall.

    I have no issue configuring the VPN but how do I pass the traffic through the
    Main Firewall... is it as simple as a static route?

    Your pretty short on details but the ideal solution would be something like this.

    HQFW1 - VRF/Vlan - HQFWMAIN - DVPN/VPN - INTERNET - DVPN/VPN - ClientFirewall

    The reasons for this are simple.

    You will want a VPN solution that can scale past 1 instance. What starts off as 1 always leads to others. You set it up correctly at the start to avoid headaches in future, like adding redundancy. DVPN is the better option if possible, most small ISP operations don't have proper fixed IP's.

    You want HQFWMAIN to be aware of the traffic and monitoring it, because it's the entry point into your network. Pushing encrypted traffic past it, from a deep internal source to an external source isn't good practise. Unless you have it decrypting it and at that point you're wasting resources. it also makes more sense from a diagnostics point of view, if the path and the traffic are clear to anybody investigating.

    You want a IRF/VLAN solution internally to isolate the traffic between the 2 firewalls so that nothing can be spoofed and get out into your normal internal network.

    And you use OSPF because static routes are for chumps.


  • Registered Users, Registered Users 2 Posts: 6,309 ✭✭✭T-K-O


    Thanks the reply. I share your concerns and would not have considered the suggested approach, best practice. An internal FW as an endpoint doesn't make much sense to me. Good to hear someone else agrees! Unfortunately a dynamic solution is not an option. I think a re-design will have to be discussed.


Advertisement