Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1635
Views
5
Helpful
6
Replies

Split tunnel connection with multiple termination points

Go to solution
Christian.Borchert
Level 1
Level 1

‎11-08-2017 02:39 AM - edited ‎03-12-2019 04:43 AM

I am struggeling with the following scenario:

 

- Local branch offices shall connect to a central data center via a split tunnel - encrypting internal traffic into the VPN to terminate at the data center and to access the internet and internet applications directly via their local internet breakout

- Additionally the branch offices need to connect encrypted via a tunnel to a local head office to access some local services, that are not in the data center - this traffic has to be encrypted, too

- Due to latency it is not feasible for the branch offices to connect to the local head office via the data center - a direct connection is needed

- The internal target services/applications can be distinguished by their IP range

 

In a normal split tunnel it would try to resolve the internal IP adress over the internet first and would not be able to do so - than it would route the traffic to the data center - this will work for the applications hosted there. But how do I mange the routing to the local headoffice.

 

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to Christian.Borchert

‎11-08-2017 07:47 AM

Further analysis is necessary but with the proposed solution where firewall or router  establish vpn tunnels between sites,  I think is possible to have remote clients via VPN and this clients still benefit from this topology. I mean, if you are at home and establishes VPN with Firewall on Local Branch Office, you can access resources on the Local Head Office and Data Center via L2L VPN tunnel. 

  

 

 

-If I helped you somehow, please, rate it as useful.-

 

View solution in original post

6 Replies 6

Go to solution
Flavio Miranda
VIP
VIP

‎11-08-2017 03:11 AM

Hello @Christian.Borchert

 Just trying to understand and then try to help.  Do you have two VPN tunnels, on from Local Branch Office to Data Center a another one from Local Branch Office to HeadOffice ?

 

When you say:

"In a normal split tunnel it would try to resolve the internal IP adress over the internet first and would not be able to do so - than it would route the traffic to the data center - this will work for the applications hosted there. But how do I mange the routing to the local headoffice."

First, in a normal split tunnel you are able to determine which traffic goes to the Internet and which one should go through  tunnel, right? I dont see why traffic should try to go to internet first.

  Second, if you have two different tunnels, they have different traffic of interest. Why the tunnel between Local Branch Office and Local HeadOffice can´t just carrier the traffic it needs?

 Sorry if I mess this up, as I said, just trying to understand the flow and then propose some idea.

 If you can share some draw would help.

 

-If I helped you somehow, please, rate it as useful.- 

0 Helpful

Go to solution
Christian.Borchert
Level 1
Level 1
In response to Flavio Miranda

‎11-08-2017 04:21 AM - edited ‎11-08-2017 04:23 AM

Hello @Flavio Miranda

 

Thank you for your reply. I added a simplified scribble of the scnerio. In this scenario I have different clients at the branch offices runnig different application also at the same time

1) in this case the user accesses web applications or just surfs the internet - i don't want this traffic in any tunnel

2) in this case the user accesses secured business applications in the data center, like the exchange

3) in this case the user accesses secured applications in the local headquarter - for example the IP telephony 

 

All 3 scenarios go through the same internet breakout and happen in parallel. So there have to be 2 different tunnels. In best case the client can handle the necessary splitting - that would enbale the users to access secured applications even outside of the office via mobile broadband.

 

I just figured out, that my image is a bit wrong - scenario 2 is tunneled through the internet, too.

 

In general this is a Hub and Spoke desgin with a Split tunnel plus an additional spoke to spoke communication (where the local headquarter is the spoke, the others need to connect to). 

 

Normally I would configure the way, that all internal traffic goes through the VPN tunnel. But now I have 2 different tunnels and don't know if the client can handle both.


Thanks in advance and best regards

 

Preview file
107 KB
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Christian.Borchert

‎11-08-2017 05:00 AM

With Client VPN I dont think is a good idea. Client VPN will establish one tunnel at a time. 

 Better idea would be to have one Firewall at each location and then one tunnel between Local Branch Office and Data Center and one tunnel between Local Branch Office and Local Head Office.

 

0 Helpful

Go to solution
Christian.Borchert
Level 1
Level 1
In response to Flavio Miranda

‎11-08-2017 07:19 AM

Hello @Flavio Miranda

 

Thank you for your response. That solution would imply, that the user can access everything when in one of the branch offices, but as soon as he is connected via mobile broadband or at home he can only use the internet ressources unless we establish a vpn tunnel to one of the locations - true?

 

Best regards

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Christian.Borchert

‎11-08-2017 07:47 AM

Further analysis is necessary but with the proposed solution where firewall or router  establish vpn tunnels between sites,  I think is possible to have remote clients via VPN and this clients still benefit from this topology. I mean, if you are at home and establishes VPN with Firewall on Local Branch Office, you can access resources on the Local Head Office and Data Center via L2L VPN tunnel. 

  

 

 

-If I helped you somehow, please, rate it as useful.-

 

Go to solution
Christian.Borchert
Level 1
Level 1
In response to Flavio Miranda

‎11-08-2017 07:51 AM

Hello @Flavio Miranda

 

Thank you - that was helpful.

 

Best regards

0 Helpful
Customers Also Viewed These Support Documents