RV042 and pix with load balancing

Hello I was looking at the linksys rv042 and it seems a preatty good router. Does anyone know how to set this up? one crypto map two peers or two crypt maps with two look alike access-lists? do i need failover enabled on the pix? are there any special requiremetns for this? thanks

Reply to
jcharth
Loading thread data ...

In article , wrote: :Hello I was looking at the linksys rv042 and it seems a preatty good :router. Does anyone know how to set this up? one crypto map two peers :or two crypt maps with two look alike access-lists? do i need failover :enabled on the pix? are there any special requiremetns for this? thanks

You can't do load balancing with PIX 6.x. I don't know if you can with PIX 7.0 but I don't recall seeing that as one of the features added.

Reply to
Walter Roberson

May be is something on the rv042 side. I guess the only way to know is to buy one and if it does not work send it back

Reply to
jcharth

In article , wrote: :May be is something on the rv042 side. I guess the only way to know is :to buy one and if it does not work send it back

For PIX 6.x, there is nothing you can do that will make it load balance, at least not for TCP. You can have -destination- routes to different places, but that's not load balancing, that's just routing. If you have the same traffic flows arriving via multiple interfaces then the Adaptive Security will refuse to believe that packets arriving on the other interfaces are authorized. If you have multiple IPSec peers in the same crypto policy, then it will only ever use one of them at a time, with there being obscure algorithms that lead to cutting off an old peer if a new one manages to start up. If you have the same crypto ACL on multiple crypto map policies, it will match the traffic on the lowest policy number and will never even look to see whether the other policies might match the traffic.

I don't know what can be done with PIX 7.0.

Reply to
Walter Roberson

I found this example but the subnets on the access lists are different, so i dont think it applies and i bet it wont work with loadbalancing.

formatting link
how ever may be for fault toulerance, I can add a second peer to the pix in the same crypto map right?

Reply to
jcharth

In article , wrote: :I found this example but the subnets on the access lists are different, :so i dont think it applies and i bet it wont work with loadbalancing.

:how ever may be for fault toulerance, I can add a second peer to the :pix in the same crypto map right?

You can add something like 6 peers to the same crypto map policy clause. Those are for fault tolerance only.

Anything beyond that would have to be handled at a stage before. For example, if you had a router inside the PIX perimeter that did policy based routing such that any one flow was always routed the same way, and at the LAN router you were to NAT the different policy outlets seperately, then as far as the PIX would be concerned they would be different inside hosts and the PIX would be able to run them through different VPN tunnels.

You can also do -some- of that directly on the PIX, by using a combination of policy NAT and multiple crypto map policies. The crypto map match-address ACLs are not looked at until -after- NAT has taken place, so if you can express your different streams in terms of diferent layer 4 policies that can be source NAT'd to different IPs then the crypto map could be specific to the different post-NAT'd sources and so send them through different tunnels. But at least in PIX 6.x, you cannot split a single flow over multiple outlets -- per packet load balancing from within PIX 6.x is Right Out for TCP [UDP... might be hackable, icmp not.]

Reply to
Walter Roberson

what if i have to pixes and one router behind the pixes using ospf or ibgp to route the packets through the right pix? i can probably establish two tunels with rv042 and have the packets go to one or the other base on availability right? well anyway i think ill give it a shot.

Reply to
jcharth

In article , wrote: :what if i have to pixes and one router behind the pixes using ospf or :ibgp to route the packets through the right pix? i can probably :establish two tunels with rv042 and have the packets go to one or the :other base on availability right? well anyway i think ill give it a :shot.

PIX 6.2 supports reading OSPF routes directly, except on the PIX 501. But that's a *routing* configuration, not a *load balancing* configuration.

There is no circumstance under which a PIX 6.x will accept a TCP packet for a flow that was previously going through a different PIX [other than PIX failover.]

You can do some UDP stuff with multiple PIX by abusing the fact that each UDP packet is independantly considered to be a flow in itself, but consider the case where the UDP goes out on one PIX and the reply comes back on the other: unless the second PIX has been configured to accept UDP for -all- ports [because the outgoing had a dynamic source port], then the adaptive security on the second PIX is not going to allow the packet in.

Effectively, if you want to do load balancing, you need to do it on the WAN side of the PIX.

Reply to
Walter Roberson

If you can put routers behind the firewalls, redundancy becomes much easier. Just treat the IPsec tunnels as non-broadcast point-to-point links and use a routing protocol to select the tunnel to use. Load balancing is automatic if you use an IGP and GRE tunnels. BGP routing saves overhead, but makes load balancing much more difficult. See the white paper "Redundant Routes in IPSec VPNs" on my web site for some examples (load balancing is not addressed, but you can fill that in, because load balancing is typically useless if you don't have robust redundancy).

Good luck and have fun!

Reply to
Vincent C Jones

Thanks Vincent. I read all your papers a few days I go hopping to find an answer to my problem. Do you think it is ok to do the ipsec and gre tunnels in a router behind the pix? i have a 2621 that has a few ethernet ports open. I also have a tasman t1 router with to lan interfaces. I

Reply to
jcharth

I'm having a bit of a challenge parsing your response, but I'll do the best I can.

The GRE tunnels must terminate on a router, PIX don't route the way you need them to for this application.

IPsec can be done by firewall or by router. On the firewall is usually easier (less opportunity for confusion), but not necessarily better. The bigger challenge is usually getting both ends of the IPsec tunnel to agree on all parameters so the tunnel will come up and stay up.

2621 VPN performance may not be adequate. It also requires upgrading to crypto or firewall feature set (if you're not there already).

Good luck and have fun!

Reply to
Vincent C Jones

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.