Network Planning Guide for ProSafe VPN Firewall Router FVX538
2-6 Network Planning
October 2004
Figure 2-7: Dual WAN port case for multiple exposed hosts with load balancing
Virtual Private Networks (VPNs)
When implementing virtual private network (VPN) tunnels, a mechanism must be used for
determining the IP addresses of the tunnel end points. The addressing of the router’s dual WAN
port depends on the configuration being implemented:
Note: Load balancing is implemented for outgoing traffic and not for incoming traffic.
Consider publicizing one of the WAN port Internet addresses and keeping the other one
unpublicized in order to maintain better control of WAN port traffic.
Table 2-1. IP addressing requirements for VPNs in dual WAN port systems
Configuration and WAM IP address
Single WAN Port
(reference case)
Dual WAN Port Cases
Failover
a
a. All tunnels must be re-established after a failover using the new WAN IP adress.
Load Balancing
VPN Road Warrior
(client-to-gateway)
Fixed Allowed
(FQDN optional)
FQDN required Allowed
(FQDN optional)
Dynamic FQDN required FQDN required FQDN required
VPN Gateway-to-Gateway Fixed Allowed
(FQDN optional)
FQDN required Allowed
(FQDN optional)
Dynamic FQDN required FQDN required FQDN required
VPN Telecommuter
(client-to-gateway through
a NAT router)
Fixed Allowed
(FQDN optional)
FQDN required Allowed
(FQDN optional)
Dynamic FQDN required FQDN required FQDN required
Router
22.23.24.25, 22.23.24.26,...
WAN2 IP Addresses
Dual WAN Ports
IPaddresses ofWAN portsmust befixedblocks
exposedhosts
14.15.16.17, 14,15,16,18,...
WAN1 IP Addresses