1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. SRX5308
    5. /
  5. 85
Page 421 / 469 Scroll up to view Page 416 - 420
Network Planning for Multiple WAN Ports
421
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 267.
Virtual Private Networks
VPN Road Warrior (Client-to-Gateway)
VPN Gateway-to-Gateway
VPN Telecommuter (Client-to-Gateway through a NAT Router)
When implementing virtual private network (VPN) tunnels, you need to use a mechanism for
determining the IP addresses of the tunnel endpoints. The addressing of the firewall’s WAN
ports in a dual WAN port auto-rollover or load balancing configuration depends on the
configuration being implemented.
For a single WAN gateway configuration, use an FQDN when the IP address is dynamic and
either an FQDN or the IP address itself when the IP address is fixed. The situation is different
in dual WAN port gateway configurations.
Dual WAN ports in auto-rollover mode
. A gateway configuration with dual WAN ports
that function in auto-rollover mode is different from a gateway configuration with a single
WAN port when you specify the IP address of the VPN tunnel endpoint. Only one WAN
port is active at a time, and when it rolls over, the IP address of the active WAN port
Table 105.
IP addressing requirements for VPNs in a dual WAN port configuration
Configuration and WAN IP Address
Single WAN Port
Configurations
(Reference Cases)
Dual WAN Port Configurations
Rollover Mode
a
a. After a rollover, all tunnels need to be reestablished using the new WAN IP address.
Load Balancing Mode
VPN Road Warrior
(Client-to-Gateway)
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
VPN Gateway-to-Gateway
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
VPN Telecommuter
(Client-to-Gateway through
a NAT Router)
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
Page 422 / 469
Network Planning for Multiple WAN Ports
422
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
always changes. Therefore, the use of an FQDN is always required, even when the IP
address of each WAN port is fixed.
Note:
When the VPN firewall’s WAN port rolls over, the VPN tunnel
collapses and needs to be reestablished using the new WAN IP
address. However, you can configure automatic IPSec VPN rollover
to ensure that an IPSec VPN tunnel is reestablished.
Figure 268.
Dual WAN ports in load balancing mode
. A gateway configuration with dual WAN ports
that function in load balancing mode is the same as a single WAN port configuration when
you specify the IP address of the VPN tunnel endpoint. Each IP address is either fixed or
dynamic based on the ISP: You need to use FQDNs when the IP address is dynamic, and
FQDNs are optional when the IP address is static.
Figure 269.
VPN Road Warrior (Client-to-Gateway)
The following situations exemplify the requirements for a remote computer client with no
firewall to establish a VPN tunnel with a gateway VPN firewall:
Single-gateway WAN port
Redundant dual-gateway WAN ports for increased reliability (before and after rollover)
Dual-gateway WAN ports for load balancing
Page 423 / 469
Network Planning for Multiple WAN Ports
423
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
VPN Road Warrior: Single-Gateway WAN Port (Reference Case)
In a single WAN port gateway configuration, the remote computer client initiates the VPN
tunnel because the IP address of the remote computer client is not known in advance. The
gateway WAN port needs to act as the responder.
Figure 270.
The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is
dynamic, an FQDN needs to be used. If the IP address is fixed, an FQDN is optional.
VPN Road Warrior: Dual-Gateway WAN Ports for Improved Reliability
In a gateway configuration with dual WAN ports that function in auto-rollover mode, the
remote computer client initiates the VPN tunnel with the active WAN port (port WAN1 in the
following figure) because the IP address of the remote computer client is not known in
advance. The gateway WAN port needs to act as a responder.
Figure 271.
The IP addresses of the WAN ports can be either fixed or dynamic, but you always need to
use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP
address of the active WAN port is not known in advance).
After a rollover of the WAN port has occurred, the previously inactive gateway WAN port
becomes the active port (port WAN2 in the following figure) and the remote computer client
needs to reestablish the VPN tunnel. The gateway WAN port needs to act as the responder.
Page 424 / 469
Network Planning for Multiple WAN Ports
424
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 272.
The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall
between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the
remote computer client can determine the gateway IP address to establish or reestablish a
VPN tunnel.
VPN Road Warrior: Dual-Gateway WAN Ports for Load Balancing
In a gateway configuration with dual WAN ports that function in load balancing mode, the
remote computer initiates the VPN tunnel with the appropriate gateway WAN port (that is,
port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports)
because the IP address of the active WAN port is not known in advance. The selected
gateway WAN port needs to act as the responder.
Figure 273.
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address
is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional.
Page 425 / 469
Network Planning for Multiple WAN Ports
425
ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308
VPN Gateway-to-Gateway
The following situations exemplify the requirements for a gateway VPN firewall to establish a
VPN tunnel with another gateway VPN firewall:
Single-gateway WAN ports
Redundant dual-gateway WAN ports for increased reliability (before and after rollover)
Dual-gateway WAN ports for load balancing
VPN Gateway-to-Gateway: Single-Gateway WAN Ports (Reference Case)
In a configuration with two single WAN port gateways, either gateway WAN port can initiate
the VPN tunnel with the other gateway WAN port because the IP addresses are known in
advance.
Figure 274.
The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional.
VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Improved
Reliability
In a configuration with two dual WAN port VPN gateways that function in auto-rollover mode,
either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate
gateway WAN port at the other end as necessary to balance the loads of the gateway WAN
ports because the IP addresses of the WAN ports are known in advance. In this example
(see the following figure), port WAN_A1 is active and port WAN_A2 is inactive at Gateway A;
port WAN_B1 is active and port WAN_B2 is inactive at Gateway B.

Rate

3.5 / 5 based on 2 votes.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top