Virtual private networks (vpns), Virtual private networks (vpns) -6, Virtual private networks – NETGEAR ProSafe FVX538 User Manual

Network Planning Guide for ProSafe VPN Firewall Router FVX538

2-6

Network Planning

October 2004

Figure 2-7: Dual WAN port case for multiple exposed hosts with load balancing

Virtual Private Networks (VPNs)

When implementing virtual private network (VPN) tunnels, a mechanism must be used for
determining the IP addresses of the tunnel end points. The addressing of the router’s dual WAN
port depends on the configuration being implemented:

Note: Load balancing is implemented for outgoing traffic and not for incoming traffic.
Consider publicizing one of the WAN port Internet addresses and keeping the other one
unpublicized in order to maintain better control of WAN port traffic.

Table 2-1.

IP addressing requirements for VPNs in dual WAN port systems

Configuration and WAM IP address

Single WAN Port

(reference case)

Dual WAN Port Cases

Failover

a

a. All tunnels must be re-established after a failover using the new WAN IP adress.

Load Balancing

VPN Road Warrior

(client-to-gateway)

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

VPN Gateway-to-Gateway Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

VPN Telecommuter

(client-to-gateway through
a NAT router)

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

Router

22.23.24.25, 22.23.24.26, . . .

WAN2 IP Addresses

Dual WAN Ports

IP addresses of WAN ports must be fixed blocks

exposed hosts

14.15.16.17, 14,15,16,18, . . .

WAN1 IP Addresses