Page 36 / 238 Scroll up to view Page 31 - 35
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-6
Network Planning
202-10085-01, March 2005
Figure 3-6:
Dual gateway WAN ports before and after rollover
Load Balancing Case for Dual Gateway WAN Ports
Load balancing (
Figure 3-7
) for the dual gateway WAN port case is the same as the single
gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP
address is either fixed or dynamic based on the ISP: fully-qualified domain names must be
used when the IP address is dynamic and are optional when the IP address is static.
Figure 3-7:
Dual gateway WAN ports for load balancing
VPN Road Warrior (Client-to-Gateway)
The following situations exemplify the requirements for a remote PC client with no firewall to
establish a VPN tunnel with a gateway VPN firewall:
Single gateway WAN port
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
Dual gateway WAN ports used for load balancing
VPN Road Warrior: Single Gateway WAN Port (Reference Case)
In the case of the single WAN port on the gateway VPN firewall (
Figure 3-8
), the remote PC client
initiates the VPN tunnel because the IP address of the remote PC client is not known in advance.
The gateway WAN port must act as the responder.
Gateway
netgear.dyndns.org
WAN1 IP
Dual WAN Ports (Before Rollover)
VPN Router
WAN2 IP (N/A)
WAN2 port inactive
Gateway
WAN1 port inactive
WAN1 IP (N/A)
Dual WAN Ports (After Rollover)
VPN Router
WAN2 IP
netgear.dyndns.org
IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required)
X
X
X
X
Gateway
netgear1.dyndns.org
WAN1 IP
Dual WAN Ports (Load Balancing)
VPN Router
WAN2 IP
netgear2.dyndns.org
IP addresses of WAN ports same as single
WAN port case (use of fully-qualified domain
names required for dynamic IP addresses
and optional for fixed IP addresses)
Page 37 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-7
202-10085-01, March 2005
Figure 3-8:
Single gateway WAN port case for VPN road warrior
The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is
dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified
domain name is optional.
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall (
Figure 3-9
), the remote PC client
initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because
the IP address of the remote PC client is not known in advance. The gateway WAN port must act
as a responder.
Figure 3-9:
Dual gateway WAN ports, before rollover, for VPN road warrior
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified
domain name must always be used because the active WAN port could be either WAN1 or WAN2
(i.e., the IP address of the active WAN port is not known in advance).
Gateway A
bzrouter.dyndns.org
10.5.6.0/24
10.5.6.1
WAN IP
WAN IP
LAN IP
Client B
FQDN
0.0.0.0
VPN Router
(at employer's
main office)
Road Warrior Example (Single WAN Port)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- optional for Fixed IP addresses
- required for Dynamic IP addresses
Gateway A
bzrouter.dyndns.org
10.5.6.0/24
10.5.6.1
WAN1 IP
WAN IP
LAN IP
Client B
0.0.0.0
VPN Router
(at employer's
main office)
Road Warrior Example
(Dual WAN Ports, Before Rollover)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- required for Fixed IP addresses
- required for Dynamic IP addresses
WAN2 port inactive
WAN2 IP (N/A)
X
X
Page 38 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-8
Network Planning
202-10085-01, March 2005
After a rollover of the gateway WAN port (
Figure 3-10
), the previously inactive gateway WAN
port becomes the active port (port WAN2 in this example) and the remote PC client must
re-establish the VPN tunnel. The gateway WAN port must act as the responder.
Figure 3-10:
Dual gateway WAN ports, after rollover, for VPN road warrior
The purpose of the fully-qualified domain name in this case is to toggle the domain name of the
gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that
the remote PC client can determine the gateway IP address to establish or re-establish a VPN
tunnel.
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing
In the case of the dual WAN ports on the gateway VPN firewall (
Figure 3-11
), the remote PC
initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as
necessary to balance the loads of the two gateway WAN ports) because the IP address of the
remote PC is not known in advance. The chosen gateway WAN port must act as the responder.
Figure 3-11:
Dual gateway WAN ports (load balancing case) for VPN road warrior
Gateway A
WAN1 port inactive
10.5.6.0/24
10.5.6.1
WAN1 IP (N/A)
WAN IP
LAN IP
Client B
0.0.0.0
VPN Router
(at employer's
main office)
Road Warrior Example
(Dual WAN Ports, After Rollover)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- required for Fixed IP addresses
- required for Dynamic IP addresses
bzrouter.dyndns.org
WAN2 IP
Remote PC must re-establish VPN tunnel after a rollover
X
X
Gateway A
bzrouter1.dyndns.org
10.5.6.0/24
10.5.6.1
WAN1 IP
WAN IP
LAN IP
Client B
0.0.0.0
VPN Router
(at employer's
main office)
Road Warrior Example
(Dual WAN Ports, Load Balancing)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- optional for Fixed IP addresses
- required for Dynamic IP addresses
bzrouter2.dyndns.org
WAN2 IP
Page 39 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-9
202-10085-01, March 2005
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
VPN Gateway-to-Gateway
The following situations exemplify the requirements for a gateway VPN firewall to establish a
VPN tunnel with another gateway VPN firewall:
Single gateway WAN ports
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
Dual gateway WAN ports used for load balancing
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)
In the case of single WAN ports on the gateway VPN firewalls (
Figure 3-12
), either gateway WAN
port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are
known in advance.
Figure 3-12:
Single gateway WAN ports case for gateway-to-gateway VPN tunnels
The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
Gateway A
22.23.24.25
FQDN
netgear.dyndns.org
10.5.6.0/24
172.23.9.0/24
172.23.9.1
10.5.6.1
WAN IP
WAN IP
LAN IP
LAN IP
Gateway B
Gateway-to-Gateway Example (Single WAN Ports)
Fully-Qualified Domain Names (FQDN)
- optional for Fixed IP addresses
- required for Dynamic IP addresses
VPN Router
(at office A)
VPN Router
(at office B)
Page 40 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-10
Network Planning
202-10085-01, March 2005
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall (
Figure 3-13
), either of the
gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN
port at the other end as necessary to balance the loads of the gateway WAN ports because the IP
addresses of the WAN ports are known in advance. In this example, port WAN_A1 is active and
port WAN_A2 is inactive at Gateway A; port WAN_B1 is active and port WAN_B2 is inactive at
Gateway B.
Figure 3-13:
Dual gateway WAN ports, before rollover, for gateway-to-gateway VPN tunnels
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified
domain name must always be used because the active WAN ports could be either WAN_A1,
WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in
advance).
After a rollover of a gateway WAN port (
Figure 3-14
), the previously inactive gateway WAN port
becomes the active port (port WAN_A2 in this example) and one of the gateway VPN firewalls
must re-establish the VPN tunnel.
Gateway A
netgearB.dyndns.org
netgearA.dyndns.org
10.5.6.0/24
172.23.9.0/24
172.23.9.1
10.5.6.1
WAN_A1 IP
WAN_B1 IP
LAN IP
LAN IP
Gateway B
Gateway-to-Gateway Example
(Dual WAN Ports, Before Rollover)
Fully-Qualified Domain Names (FQDN)
- required for Fixed IP addresses
- required for Dynamic IP addresses
VPN Router
(at office A)
VPN Router
(at office B)
WAN_B2 IP (N/A)
WAN_A2 IP (N/A)
WAN_A2 port inactive
WAN_B2 port inactive
X
X
X
X

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top