We are currently in the process of switching our Frame-Relay NETWORK to a MPLS network using OSPF as the routing protocol.
We have about 5 sites. For the sake of the conversation we will call them Site A, B, C, D, and E.
All sites will have connectivity to each other and each site will have Internet Access via a T1 or DSL connection and a WatchGuard Core X700 Firewall.
Management wants me to build IPSEC tunnels between each location and say Site A (Where our AS/400 IS)to serve as a backup in case the MPLS circuit at any one site goes down.
My question is how can I failover from my MPLS network, connected to a CISCO 1841 router, to an IPSEC tunnel back to Site A built on a Watchguard Firebox that the CISCO routers will all have the 0.0.0.0 route pointing to each local Firebox for Internet access?
Is it even possible to have tunnels up at the same time and pointing to the same remote network at Site A that you reach via the MPLS network?
I am all confused as to what the best way is to make this work, if it can in fact work automatically or will it all be a manual process.
If I read correctly you want to have the router use the default route to you firewall if he loses the OSPF route he is getting from the MPLS network.
The firewall would then route the traffic into a IPSEC tunnel destined for the proper site.
Should work fine. Don't know much about these firewalls so how hard it is to configure is not clear. This is fairly easy with cisco firewalls and even easier now that they support OSPF.
If the firewall is going to be a issue or if it is just too many routes you could built GRE tunnels between the routers and set the firewall to pass the gre traffic via ipsec which should be much easier to configure.
You could then use floating statics or a routing protocol over the tunnel. As long as your sites are not in different OSPF areas you could use OSPF. If the ospf areas are not the same it can get complex.
Yes, currently the default route is for Internet access and browsing, but if we loose the MPLS T1 I would want to use the default route to the Firewall to have it route traffic over the IPSEC tunnel that I would have built back to lets say Site A.
Building IPSEC tunnels on a Watchguard Firebox is fairly simple and I am comfortable in doing so, I would have preferred using CISCO Firewalls, but my boss is stuck on these Fireboxes. I prefer a complete soultion, but as you may already know that is not always the case in getting what you want.
So with what you said in your third sentence..."should work fine." Is there any special configuration I need to do on the Cisco to have it use the default route to the Firewall in case the MPLS circuit goes down? And can I have the IPSEC tunnel up to Site A and routes on the Firewall to Site A simultaneously with the MPLS connection up to Site A? If I had them both up at the same time, how would it know which path to use for the traffic destined to Site A? MPLS or IPSEC tunnel on Firewall?
Sounds to me like nothing special will be required to direct downed routes out the IPSEC tunnel.
For instance if you have a route via OSPF to Net A for Site A, once the OSPF neighbor is lost the route to Net A is gone. So, the site router would need to use the default route for Net A, which is your Firebox.
In regards to having both the tunnel up and the MPLS up at the same time...I do not believe OSPF supports unequal cost load balancing. I believe you would need to switch to EIGRP and use GRE through the VPN tunnels.
Thanks for responding. So it sounds like a manual process to me, if I continue to use the Firebox and terminate the tunnels there.
I guess then if the MPLS connection goes down I could have the tunnel pre-built, but just without the routing policies and then after it goes down put the routing policies in (on the firewall) to get to Site A and then life would be good.
If I used GRE tunnels, OSPF is not supported through them? I know EIGRP is.
No it doesn't need to be manual.
On the Firebox I assume you associate each IPSEC peer with a particular access list like you would on a PIX firewall VPN. So on the router in Site A, you can setup 5 other peers that have associated ACLs(from Net A to Net X and from Net X to Net A). The ACL is what determines what traffic should be encrypted and sent across a particular tunnel. So unless you lost the route in OSPF, the VPN interesting traffic would not make it to the Firebox and therefore the traffic wouldn't go over the tunnel. However, if you lose the route the VPN tunnel is ready and waiting to be used. Granted, it may not be active but once you lose the OSPF peer the associated VPN tunnel will come up shortly.
I accomplished a very similar configuration with the use of PIX firewalls and EIGRP routers.
I am very interested in how you accomplished this with PIX + EIGRP routers. I need to do a similar setup using AT&T provided MPLS routers connected to my LANs that have L3 EIGRP routers and PIXs with VPN tunnels to the main site for backup. Can you please share some hints as to how you did this?
If IPSEC path should be used only as a backup and your WatchGuard Firewalls support GRE encapsulation for establisging IPSEC connections, then you could build tunnels between them and you 1841 and use any routing protocol WatchGuard supports (once tunnels are up they aren't more than just yet another interface). In the routing protocol you then simply manipulate metrics to specify your routing preferences. And yes, tunnels can be up all the time if there's routing protocol running.
The tunnels would actually be established between the two watchguard firewalls at either end. The 1841 routers sit behind them.
So, if I understand correctly I can build the tunnels between both fireboxes and have them active as the internal LAN will not use them to get to the other MPLS locations when the MPLS circuits are up because a host needing to communicate with another host across the the MPLS network will find it via the OSPF routes defined on the router. If the MPLS circuit goes down, the OSPF route is removed from the routing table, so if a host tries to communicate then with a host located across the MPLS network, the default route will send the traffic to the firewall where it should go across the active IPSEC tunnel to the other side...correct?
Nothing special needed on the CISCO 1841 MPLS routers, the default routes should handle it?
If your 1841 router will get all specific prefixes over MPLS connection (as opposed to getting only default) then yes, setting default pointing towards firewalls could be sufficient. However you should consider situation, where some site is not available across MPLS and for some reason hasn't established IPSEC connection. If you rely only on default and assume site is always connected over IPSEC, you should ensure that your traffic isn't leaking to the Internet in case IPSEC connection to failed site isn't actually up. Null-routing aggregate block for all your remote sites at firewall is one possible solution for that.
Can you explain what you mean by get all specific prefixes over MPLS as opposed to default? MPLS is very new to me.
And can you elaborate more on Null-routing aggregae block?
Thanks again for all your time and effort!