Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martijn
Advisor
Advisor

Route based VPN support and SmartLSM

Hi All,

One of our customers has several remote sites with 14xx appliances managed by SmartLSM. This is working as it should, so no problems there.

Customer has a internet connection configured on the WAN interface and MPLS connection configured on LAN4. We have configured this MPLS connection as the secondary ISP so we have ISP redundancy in case the WAN connection is down.  Users can connect to the internet through the central site and central gateway via MPLS.

But in the situation the MPLS connection is down, the 14xx appliance should setup a VPN connection to the central gateway so corporate resources that are available through the MPLS connection and are now available through the VPN connection.

The only way I can think of to get this working is VTI's, route based VPN's and static routes with a higher metric. I know we can configure this on a 14xx appliance when it is locally managed. But can I configure route based VPN's on a 14xx appliance when it is centrally managed by SmartLSM? It looks only domain based VPN is supported.

Any ideas?

Regards,

Martijn.

 

0 Kudos
4 Replies
Wolfgang
Authority
Authority

Matijn,

we are using a similar solution. But we use the site2site VPN for both conenctions, the MPLS and over internet.
Our central gateway has an interface to the internet and another one to the MPLS network. Same for the 14xx appliances.
Under vpn, link selection is enabled and "route probing" configured.
With "ongoing route probing" the gateways test the remote gateways interfaces for availability. First response is choosen to establish the connection.
Works well, normally all traffic flows over the MPLS-line via VPN, but if MPLS goes down VPN over Internet is used.

Wolfgang
0 Kudos
Martijn
Advisor
Advisor

Wolfgang,

Thanks for your reply.

Are you using SmartLSM to manage the 14xx appliances? Or are they configured in SmartConsole?

The central firewall for this customer has no interface connected to MPLS. The MPLS backbone are trusted networks behind the central firewall.

But I will keep you solution in mind. It sounds like an option if supported with SmartLSM.

Regards,

Martijn.

0 Kudos
Wolfgang
Authority
Authority

Martijn,

yes, we are using SmartProvisioning.
I remember something like a trusted interface and found again sk56384.

How To Create a Redundant, Service-based MPLS/Encrypted Link VPN

This article describes exactly your needs. Creating a VPN over two lines but running one line (your MPLS) unencrypted.

You have to define the interfaces for MPLS as trusted. But there is no information if it will work with SmartProvisioning.

Wolfgang

Martijn
Advisor
Advisor

Wolfgang,

Thanks again. This might be something we can use.

We need to re-configure the central firewall because for now it has no interface connected to MPLS.

Before we do this, we need to create a lab setup and test. In the article you added, the is nothing mentioned for SmartLSM.

Regards,

Martijn.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events