On Fri, Nov 10, 2006 at 09:34:42AM -0600, Albert Chin wrote: > With the following firewall configuration, what recommendations does > anyone have for how we should handle VPN? I see two solutions: > 1. Forward ipsec from FIREWALL 1 to FIREWALL 2 with isakmpd running > on FIREWALL 2. > 2. Run isakmpd on FIREWALL 1 and nat the traffic from the VPN > network to FIREWALL 2. > > I like method #2 because it doesn't allow direct access to isakmpd > from the Internet. > > ----------------- > | INTERNET | > --------o-------- > | > | > ------------o------------ > | |(dmz) > +--------o FIREWALL 1 o----- > | | | > | ------------------------- > | > | > | ------------------------- > | | | > +--------o FIREWALL 2 | > | | > ------------------------- > |(internal network)
I'd just run isakmpd on FW1, especially if the VPN is mostly used to access the internal network. If there happens to be a big bug in isakmpd, you only expose the DMZ; and if you misconfigure the firewall, which is a lot more likely, you only expose the DMZ. Of course, if server A is only reachable internally and via VPN, FW2 must still trust FW1 to only feed it connections to server A that are actually initiated by a VPN client. FW2 doing a second layer of filtering seems to be the main point of the setup, so handle that. You won't be able to do any reasonable filtering on isakmpd anyway. Joachim