2 Replies Latest reply: Jan 3, 2012 3:27 AM by armalite RSS

    Multiple external Interfaces on sidewinder 8.2

    armalite

      Hi List,

       

       

      i have read this thread: https://community.mcafee.com/thread/29886 and i have a similar problem.

       

      Ich have two clusterd interfaces with different subnets connectet to the internet on my sidewinder.

       

      First is for all outgoing and incomming traffic except the branch office VPNs. here is the default Route locatet. The second interface is for VPN Traffic from branch offices. External Interfaces (snapgears) of the branch offices don't have fixed IPs.

       

      But i think, all the incomming VPN raffic is routet back over the  first interface (default route) so i can't establish the VPN Tunnel (UDP Traffic).

       

       

      How can i analyse / fix this.

       

      sliedl says in this tread   "The inbound traffic is fine because it will be routed back out that interface that it arrived on (the INBOUND interface)."

       

       

       

       

      thx in advance

       

       

      Andreas

        • 1. Re: Multiple external Interfaces on sidewinder 8.2
          sliedl

          If the branch offices do not have fixed IPs there is not much you can do about this on the firewall.

           

          You need to add a route on your firewall that directs all traffic to the destination IPs of these VPNs to be forwarded to some IP address that is reachable from your second interface (i.e. the IP address of some device connected to your firewall's second interface).  Any traffic that is arrives FROM these branch offices needs to arrive on this second interface also (e.g. the traffic needs to be routed to you over this second interface by other devices outside of your firewall).  That should happen anyway as the destination IP of packets from those branch offices would be the IP of your second interface and should come in on that interface.

           

          The firewall cannot route packets based on policy (i.e. HTTP traffic goes out this route and VPN traffic goes out this other route).  It can only route packets based on destination address.  Every time the IP address of the branch office changes you would have to change the route on the firewall.

          • 2. Re: Multiple external Interfaces on sidewinder 8.2
            armalite

            Hmm,

             

             

            that are very bad news for me.

             

            The first interface is the incomming Interface for my VPN teleworkers. regarding this threat https://community.mcafee.com/message/220763#220763 i have switcht on Nat-T on this interface for a working rekeying procedure with the shrewsoft Client.

             

            But now my branch offices are offline on this interface. My workaround for this was a seperate interface for the branch offices.

             

            Now i have no idea, howto deal with vpn Teleworkers and VPN Branch Offices :-(

             

             

            Can someone help me with this please?

             

            thanks in advance

             

            Andreas