- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Managing a gateway over VPN
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Managing a gateway over VPN
Hi, I have a scenario, my MDS and CMA is in Site A and CP Gateway is in Site B.
CP Gateway in B is perimeter firewall(cluster) and VPN is configured on this gateway to connect from site A to B.
A and B are connected over VPN(Internet). There are multiple VPNs from A to B using multiple ISPs.
Until and unless the VPN are up and running, I guess everything is fine.
However, if the primary VPNs fails, I wish the VPN 2 should be up without intervention.
As per my knowledge, to bring another tunnel up, CP gateway need the connectivity to CP-SMS(I guess for CRL check) which in the scenario wont be possible.
How can I achieve this and still able to manage teh CP-gateway in B using the mgmt server in Site A after the primary VPN fails. (I know installing a local SMS in site B is a solution, however thought to check if there is any other option available.
MGMT is MDS(80.10)
SG is R77.30
Regards,
Biju
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Normally management traffic is excluded from being sent through the VPN precisely for this reason.
For more discussion on this topic, see the following two threads:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is the gateway in site B is defined in the SMS?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's defined as a gateway and installed as a perimeter firewall.
Regards,
Biju Nair
Sent from my iPhone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That much is clear, but what IP address is assigned to the cluster object?
Is it external IP that belongs to one of the ISPs in site B or is it a private IP from one of the site B ranges?
Is this cluster connected to multiple ISPs directly or are there perimeter routers with BGP handling ISP redundancy?
If each cluster member connected to one of the ISPs, are the external interfaces configured as non-clustered/monitored?
Or do you have both ISPs connected to each cluster member and have those configured for ISP redundancy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two vlan interfaces(external) are configured under a physical interface with two different public IPs on each cluster member and both are clustered with cluster IP.
Regards,
Biju Nair
Sent from my iPhone
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Normally management traffic is excluded from being sent through the VPN precisely for this reason.
For more discussion on this topic, see the following two threads:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please read the:
ISP Redundancy Script and Additional VPN Considerations in:
One more thing to consider is the IP assigned to the Cluster Object in its "General" properties:
If it is the IP that belongs to one of the ISPs and you do not have a BGP AS advertisements configured for that range, then the cluster cannot be reached by the SMS in case this ISP connection fails.
If you have it configured with RFC1918 IP, than theoretically, your VPN could be reestablished and you should be able to maintain the management capabilities.
Note that in this case, the route for this IP should be added to the gateway on SMS site pointing to your perimeter routers to be perceived as external.
This being said, as Dameon pointed out, management over VPN is not recommended.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to onboard site B security HA cluster VPN gateway which was earlier managed by local CMA to Site A MDS-CMA. VPN terminates on same device via public IP, management device access via another interface which private IP. Please advise, Vladimir Yakovlev
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure if I am getting a clear picture without desired state topology diagram.
That being said, if I understand it correctly:
1. Your Site B cluster was previously managed via private IP
2. It is now must be managed by the management server located at the same site via this private IP
3. You now are shifting management function to the site A MDS
4. There is a VPN present between Site A and Site B gateways or clusters
5. Both site's gateways or clusters will be managed by the same MDS and, possibly same CMA
The best approach, IMHO, will be to change the management IP of the HA cluster and its members in site B to its public VIP.
Note that this will necessitate the re-establishing SIC with the gateways.
So long as you Encryption Domain in Site B is properly defined and DOES NOT include cluster's public IP, the management traffic between CMA in Site A and the Cluster in Site B will not be going over the VPN, but will be secured by SIC.
