I had a similar situation but we were configured differently.

Our Router resided outside the Firewall with a HW - HW VPN tunnel built
between firewalls for fail over. To avid routing problems we built a GRE
connection via the VPN tunnel between internal routers to pass the needed
EIGRP info.

I think this would work for you if you 'flipped' the Router to the outside
and configured it to do the Fail-over as needed.

BTW our HW was all Cisco. External Routers was 2621XM. FWs - PIX515E,
Internal Routers - 3662

Sanford Reed
(V) 757.406.7067
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Stewart,
Sent: Tuesday, April 19, 2005 6:55 PM
To: 'firewall-wizards@honor.icsalabs.com'
Subject: [fw-wiz] L2L VPN redundancy for T1 link

We have a remote office (site B) to which we have a T1 link (from site A).
The routers on each side of this T1 are Cisco 2811's, and they reside
internal on our trusted networks, talking EIGRP to our other internal
routers on both sides.

We currently have a site to site VPN connection between our firewalls, and
the firewall on each side is the default route from the internal networks,
so if the T1 goes down, the site A <-> site B traffic fails over to this L2L
VPN, without any routing protocol needed on the firewall.

We also have a Cisco VPN3005 on a RAS leg of our firewall, for users to
connect from home and while traveling. I do plan to move the L2L VPN to be
terminated on these at some point, though right now that is not the case (it
is currently terminated on the firewalls).

Site B has essentially the same gear (VPN3005 going in soon).

A hopefully helpful diagram:

| +--------------+
| | |
| | VPN3005 |
+------------+ Concentrator |
| | |
| +-----+--------+
| |
+------+------+ |
| | |
| | |
| Firewall +-----------+-----
| | RAS Network
| |
| |
| Internal | T1 to site B
| T1 Router +----------------------->
| 2811 |
| |

The issue is that right now, when users connect with a VPN client to the
site A VPN3005, they cannot access network resources at site B, and vice
versa (since, on the firewall, the route to site B would be through the L2L
VPN rather than towards the internal network where the T1 router resides).

When we move the L2L VPN over to the 3005's, then I presume when a client
connects to site A's VPN3005 and tries to access the network at site B, the
traffic will go across the L2L VPN. However, the performance of this is
spotty, and we'd really like to be able to have this traffic go across the
T1 instead.

We would like to:

- Configure it such that traffic from VPN clients to the opposite site will
go across the T1 link.
- Still retain the L2L VPN as a failover for the T1 between A and B.
- If possible, not have a single point of failure for the link between A and

It seems relatively simple to satisfy the first two requirements, but I'm
failing to see a good way to satisfy them all. One possibility:

Connect an interface from the internal T1 router (a 2811) directly to the
Internet network, bypassing the firewall (and do the same at site B). Set up
the L2L VPN on these routers, and then if the T1 fails it will simply fail
over to the VPN, terminated on the same box.

Simple (KISS principle) - all data between site A and site B go through
these routers regardless of whether the T1 is up or down. No routing
protocols needed.

Adding a device directly on the Internet which bypasses our firewall. A
misconfiguration in the ACLs could allow traffic in or out to the Internet
which might have otherwise been stopped by the firewall.

I've been whiteboarding other options, but they all either seem to require
the firewall to speak a routing protocol, or have a single point of failure
in the T1 routers. I'm fairly comfortable living with the latter, but I just
want to make sure I'm not missing something here.

Are there better options I am missing?

Thank you!

firewall-wizards mailing list

firewall-wizards mailing list