Network Planning Guide for ProSafe VPN Firewall Router FVX538
Network Planning 2-13
October 2004
Figure 2-17: Dual gateway WAN ports (load balancing case) for gateway-to-gateway VPN
tunnels
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
VPN Telecommuter (Client-to-Gateway Through a NAT Router)
The following situations exemplify the requirements for a remote PC client connected to the
Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway
VPN router at the company office:
• Single gateway WAN port
• Redundant dual gateway WAN ports for increased system reliability (before and after failover)
• Dual gateway WAN ports used for load balancing
VPN Telecommuter: Single Gateway WAN Port (Reference Case)
In the case of the single WAN port on the gateway VPN router (Figure 2-18), the remote PC client
at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not
known in advance. The gateway WAN port must act as the responder.
Note: The telecommuter case presumes the home office has a dynamic IP address and
NAT router for budgetary reasons.
Gateway A
22.23.24.25
netgear1.dyndns.org
10.5.6.0/24
172.23.9.0/24
172.23.9.1
10.5.6.1
WAN_A1 IP
WAN_B1 IP
LAN IP
LAN IP
Gateway B
Gateway-to-Gateway Example
(Dual WAN Ports, Load Balancing)
Fully-QualifiedDomainNames (FQDN)
-optional forFixedIP addresses
-required forDynamicIP addresses
VPN Router
(at office A)
VPN Router
(at office B)
WAN_B2 IP
WAN_A2 IP
netgear2.dyndns.org
22.23.24.26