11-08-2017 02:39 AM - edited 03-12-2019 04:43 AM
I am struggeling with the following scenario:
- Local branch offices shall connect to a central data center via a split tunnel - encrypting internal traffic into the VPN to terminate at the data center and to access the internet and internet applications directly via their local internet breakout
- Additionally the branch offices need to connect encrypted via a tunnel to a local head office to access some local services, that are not in the data center - this traffic has to be encrypted, too
- Due to latency it is not feasible for the branch offices to connect to the local head office via the data center - a direct connection is needed
- The internal target services/applications can be distinguished by their IP range
In a normal split tunnel it would try to resolve the internal IP adress over the internet first and would not be able to do so - than it would route the traffic to the data center - this will work for the applications hosted there. But how do I mange the routing to the local headoffice.
Thanks in advance
Solved! Go to Solution.
11-08-2017 07:47 AM
Further analysis is necessary but with the proposed solution where firewall or router establish vpn tunnels between sites, I think is possible to have remote clients via VPN and this clients still benefit from this topology. I mean, if you are at home and establishes VPN with Firewall on Local Branch Office, you can access resources on the Local Head Office and Data Center via L2L VPN tunnel.
-If I helped you somehow, please, rate it as useful.-
11-08-2017 03:11 AM
Hello @Christian.Borchert
Just trying to understand and then try to help. Do you have two VPN tunnels, on from Local Branch Office to Data Center a another one from Local Branch Office to HeadOffice ?
When you say:
"In a normal split tunnel it would try to resolve the internal IP adress over the internet first and would not be able to do so - than it would route the traffic to the data center - this will work for the applications hosted there. But how do I mange the routing to the local headoffice."
First, in a normal split tunnel you are able to determine which traffic goes to the Internet and which one should go through tunnel, right? I dont see why traffic should try to go to internet first.
Second, if you have two different tunnels, they have different traffic of interest. Why the tunnel between Local Branch Office and Local HeadOffice can´t just carrier the traffic it needs?
Sorry if I mess this up, as I said, just trying to understand the flow and then propose some idea.
If you can share some draw would help.
-If I helped you somehow, please, rate it as useful.-
11-08-2017 04:21 AM - edited 11-08-2017 04:23 AM
Hello @Flavio Miranda
Thank you for your reply. I added a simplified scribble of the scnerio. In this scenario I have different clients at the branch offices runnig different application also at the same time
1) in this case the user accesses web applications or just surfs the internet - i don't want this traffic in any tunnel
2) in this case the user accesses secured business applications in the data center, like the exchange
3) in this case the user accesses secured applications in the local headquarter - for example the IP telephony
All 3 scenarios go through the same internet breakout and happen in parallel. So there have to be 2 different tunnels. In best case the client can handle the necessary splitting - that would enbale the users to access secured applications even outside of the office via mobile broadband.
I just figured out, that my image is a bit wrong - scenario 2 is tunneled through the internet, too.
In general this is a Hub and Spoke desgin with a Split tunnel plus an additional spoke to spoke communication (where the local headquarter is the spoke, the others need to connect to).
Normally I would configure the way, that all internal traffic goes through the VPN tunnel. But now I have 2 different tunnels and don't know if the client can handle both.
Thanks in advance and best regards
11-08-2017 05:00 AM
With Client VPN I dont think is a good idea. Client VPN will establish one tunnel at a time.
Better idea would be to have one Firewall at each location and then one tunnel between Local Branch Office and Data Center and one tunnel between Local Branch Office and Local Head Office.
11-08-2017 07:19 AM
Hello @Flavio Miranda
Thank you for your response. That solution would imply, that the user can access everything when in one of the branch offices, but as soon as he is connected via mobile broadband or at home he can only use the internet ressources unless we establish a vpn tunnel to one of the locations - true?
Best regards
11-08-2017 07:47 AM
Further analysis is necessary but with the proposed solution where firewall or router establish vpn tunnels between sites, I think is possible to have remote clients via VPN and this clients still benefit from this topology. I mean, if you are at home and establishes VPN with Firewall on Local Branch Office, you can access resources on the Local Head Office and Data Center via L2L VPN tunnel.
-If I helped you somehow, please, rate it as useful.-
11-08-2017 07:51 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide