Page 201 / 240
Scroll up to view Page 196 - 200
ProSafe VPN Firewall 200 FVX538 Reference Manual
Network Planning for Dual WAN Ports
B-15
v1.0, March 2009
The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports
at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as
necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN
ports are known in advance. In this example, port WAN_A1 is active and port WAN_A2 is inactive
at Gateway A; port WAN_B1 is active and port WAN_B2 is inactive at Gateway B.
Figure B-13
Figure B-14
Page 202 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
B-16
Network Planning for Dual WAN Ports
v1.0, March 2009
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified
domain name must always be used because the active WAN ports could be either WAN_A1,
WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in
advance).
After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the
active port (port WAN_A2 in this example) and one of the gateway VPN firewalls must re-
establish the VPN tunnel.
The purpose of the fully-qualified domain names is this case is to toggle the domain name of the
failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and
WAN _A2 in this example) so that the other end of the tunnel has a known gateway IP address to
establish or re-establish a VPN tunnel.
Figure B-15
Page 203 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Network Planning for Dual WAN Ports
B-17
v1.0, March 2009
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing
In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports
at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway
WAN port at the other end as necessary to manage the loads of the gateway WAN ports because
the IP addresses of the WAN ports are known in advance.
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
VPN Telecommuter (Client-to-Gateway Through a NAT Router)
The following situations exemplify the requirements for a remote PC client connected to the
Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway
VPN firewall at the company office:
•
Single gateway WAN port
•
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
•
Dual gateway WAN ports used for load balancing
Figure B-16
Note:
The telecommuter case presumes the home office has a dynamic IP address and
NAT router.
Page 204 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
B-18
Network Planning for Dual WAN Ports
v1.0, March 2009
VPN Telecommuter: Single Gateway WAN Port (Reference Case)
In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT
router initiates the VPN tunnel because the IP address of the remote NAT router is not known in
advance. The gateway WAN port must act as the responder.
The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is
dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified
domain name is optional.
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the
VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP
address of the remote NAT router is not known in advance. The gateway WAN port must act as the
responder.
Figure B-17
Figure B-18
Page 205 / 240
ProSafe VPN Firewall 200 FVX538 Reference Manual
Network Planning for Dual WAN Ports
B-19
v1.0, March 2009
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified
domain name must always be used because the active WAN port could be either WAN1 or WAN2
(i.e., the IP address of the active WAN port is not known in advance).
After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the
active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel. The
gateway WAN port must act as the responder.
The purpose of the fully-qualified domain name is this case is to toggle the domain name of the
gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that
the remote PC client can determine the gateway IP address to establish or re-establish a VPN
tunnel.
Figure B-19
19216811.live