Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor
Jump to solution

MPLS (Cleartext) and Internet (IPSec VPN) Failover

Dear Team,

Please find the below image.

Our requirement is to provide redundancy between MPLS and IPSec VPN.

Please suggest us any usecase so we can achive.

Thanks In AdvancedSmiley Happy

#Chinmaya Naik

0 Kudos
1 Solution

Accepted Solutions
Sam2
Contributor

We use OSPF for this exact design. A high-level implementation would be:

1. Have your firewalls advertise a default route and have the MPLS routers advertise your internal networks for each office, be sure to change the metric of the default route advertisement so that one firewall doesn't take the internet for both offices
2. configure a VPN between the firewalls, route-based or domain based,  and either define routing for them or define their respective encryption domains 

If the MPLS fails the default route from the local firewall will be the only route in the office so traffic will go to the firewall and hit your vpn config

If the internet fails over the default route from the MPLS will come through and all office traffic will take the MPLS until the internet is restored 

View solution in original post

0 Kudos
11 Replies
G_W_Albrecht
Legend Legend
Legend

Do you know this one here: sk56384: How To Create a Redundant, Service-based MPLS/Encrypted Link VPN ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chinmaya_Naik
Advisor

Thanks Günther W. Albrecht‌ 

Yes i already go through this SK 56384 .

So is this working on our scenario.

#Chinmaya Naik

0 Kudos
Maarten_Sjouw
Champion
Champion

When you have the possibility to have the MPLS routers to build a VPN over the internet to the other location, this would solve your problems. You would need to have a additional external IP on both FW's to be able to statically NAT those to the routers, only allow the routers access to each other and setup the external IP for the other router to route through the local FW to internet. This way both paths can be used and controlled by the router.

Regards, Maarten
0 Kudos
Chinmaya_Naik
Advisor

Thanks Maarten Sjouw

‌I am not got your point.

Canyou please simplify. 

0 Kudos
Maarten_Sjouw
Champion
Champion

Take your drawing and extend the VPN through the 1400 's and attach directly to the routers.  So let your routers build the VPN through the FW's and Internet. now you have the MPLS Path and the VPN path between the 2 routers, Routing will then need to be set that the MPLS is the better path and when that fails it will use the VPN path.

Regards, Maarten
0 Kudos
Norbert_Bohusch
Advisor

It will work if all necessary routes for all networks are available on MPLS routers.


0 Kudos
G_W_Albrecht
Legend Legend
Legend

I have one problem - i do just not see any question here...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PankajTiwari1
Explorer

I AM also facing same issue. according to SK 56384 it providing the load sharing and i just required high availability on MPLS (Clear Text) to IPSEC (Encrypted text). Please help me :).

0 Kudos
Sam2
Contributor

We use OSPF for this exact design. A high-level implementation would be:

1. Have your firewalls advertise a default route and have the MPLS routers advertise your internal networks for each office, be sure to change the metric of the default route advertisement so that one firewall doesn't take the internet for both offices
2. configure a VPN between the firewalls, route-based or domain based,  and either define routing for them or define their respective encryption domains 

If the MPLS fails the default route from the local firewall will be the only route in the office so traffic will go to the firewall and hit your vpn config

If the internet fails over the default route from the MPLS will come through and all office traffic will take the MPLS until the internet is restored 

0 Kudos
PankajTiwari1
Explorer

Dear SAM,

 

Thanks For your reply. i understand you are using Dynamic routing and i am using static routing. Please help me to provide the OSPF configuration senior so i can configure the same. Thanks:)

0 Kudos
Sam2
Contributor

I wont be able to supply config, you should reach out to a partner or checkpoint for help with an actual implementation if you are having problems so they could support any issues that arise

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events