NETGEAR FVX538 Router Manual PDF (Setup & Configuration Guide)

Page 196 / 240 Scroll up to view Page 191 - 195

ProSafe VPN Firewall 200 FVX538 Reference Manual

B-10

Network Planning for Dual WAN Ports

v1.0, March 2009

Virtual Private Networks (VPNs)

When implementing virtual private network (VPN) tunnels, a mechanism must be used for

determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN

port depends on the configuration being implemented:

For the single gateway WAN port case, the mechanism is to use a fully-qualified domain name

(FQDN) when the IP address is dynamic and to use either an FQDN or the IP address itself when

the IP address is fixed. The situation is different when dual gateway WAN ports are used in a

rollover-based system.

•

Rollover Case for Dual Gateway WAN Ports

Rollover for the dual gateway WAN port case is different from the single gateway WAN port

case when specifying the IP address of the VPN tunnel end point. Only one WAN port is active

at a time and when it rolls over, the IP address of the active WAN port always changes. Hence,

the use of a fully-qualified domain name is always required, even when the IP address of each

WAN port is fixed.

Table B-2. IP addressing requirements for VPNs in dual WAN port systems

Configuration and WAN IP address

Single WAN Port

(reference case)

Dual WAN Port Cases

Rollover

a

a. All tunnels must be re-established after a rollover using the new WAN IP address.

Load Balancing

VPN Road Warrior

(client-to-gateway)

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

VPN Gateway-to-Gateway

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

VPN Telecommuter

(client-to-gateway through

a NAT router)

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

Note:

Once the gateway router WAN port rolls over, the VPN tunnel collapses and must

be re-established using the new WAN IP address.

Page 197 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

Network Planning for Dual WAN Ports

B-11

v1.0, March 2009

•

Load Balancing Case for Dual Gateway WAN Ports

Load balancing for the dual gateway WAN port case is the same as the single gateway WAN

port case when specifying the IP address of the VPN tunnel end point. Each IP address is

either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the

IP address is dynamic and are optional when the IP address is static.

VPN Road Warrior (Client-to-Gateway)

The following situations exemplify the requirements for a remote PC client with no firewall to

establish a VPN tunnel with a gateway VPN firewall:

•

Single gateway WAN port

•

Redundant dual gateway WAN ports for increased reliability (before and after rollover)

•

Dual gateway WAN ports used for load balancing

Figure B-7

Figure B-8

Page 198 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

B-12

Network Planning for Dual WAN Ports

v1.0, March 2009

VPN Road Warrior: Single Gateway WAN Port (Reference Case)

In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the

VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway

WAN port must act as the responder.

The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is

dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified

domain name is optional.

VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability

In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the

VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP

address of the remote PC client is not known in advance. The gateway WAN port must act as a

responder.

Figure B-9

Figure B-10

Page 199 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

Network Planning for Dual WAN Ports

B-13

v1.0, March 2009

The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified

domain name must always be used because the active WAN port could be either WAN1 or WAN2

(i.e., the IP address of the active WAN port is not known in advance).

After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the

active port (port WAN2 in this example) and the remote PC client must re-establish the VPN

tunnel. The gateway WAN port must act as the responder.

The purpose of the fully-qualified domain name in this case is to toggle the domain name of the

gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that

the remote PC client can determine the gateway IP address to establish or re-establish a VPN

tunnel.

VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing

In the case of the dual WAN ports on the gateway VPN firewall, the remote PC initiates the VPN

tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance

the loads of the two gateway WAN ports) because the IP address of the remote PC is not known in

advance. The chosen gateway WAN port must act as the responder.

Figure B-11

Page 200 / 240

ProSafe VPN Firewall 200 FVX538 Reference Manual

B-14

Network Planning for Dual WAN Ports

v1.0, March 2009

The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is

dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified

domain name is optional.

VPN Gateway-to-Gateway

The following situations exemplify the requirements for a gateway VPN firewall to establish a

VPN tunnel with another gateway VPN firewall:

•

Single gateway WAN ports

•

Redundant dual gateway WAN ports for increased reliability (before and after rollover)

•

Dual gateway WAN ports used for load balancing

VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)

In the case of single WAN ports on the gateway VPN firewalls, either gateway WAN port can

initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in

advance.

Figure B-12

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share