Wireless Bridge with Redundant wired VPN

I need to connect two buildings via a wireless bridge, while keeping
the existing wired VPN connection between them in place (yes, creating
a loop). I need both connections in place so that in case of a failure
on one the other may pick-up the traffic. The wired VPN link is in
place and working; two firewall/VPN appliances acting as gateway at the
internet connection in each building facilitates this. I have
installed and tested the wireless bridge to the point that I know it is
able to reliably send packets back and forth between the two buildings.
Now I need to connect this bridge into the networks at each building
so it can be used for traffic. The internal networks at each site are
different subnets (192.168.1.0/24 and 192.168.2.0/24). What would be
the best approach to accomplish this?

(E-Mail Removed) hath wroth:

>I need to connect two buildings via a wireless bridge, while keeping
>the existing wired VPN connection between them in place (yes, creating
>a loop).

It's not a loop. It's two routes to the same IP block. It's exactly
analogous to installing two ethernet cards in your PC, plugging both
into a switch, and then trying to load balance the traffic (or switch
the traffic) between them. If you have a Windoze laptop with both
wired and wireless connection, the selection of route is done
automatically using the "metric" value in the IPCONFIG command. See:
| http://groups.google.com/group/alt.i...a9dc78cc2bd26f
for some hints.

>I need both connections in place so that in case of a failure
>on one the other may pick-up the traffic.

Are you trying to use both at the same time? If not, there are
protocols for switching the router on failure such as RIP. If yes,
there are load balancing routers:
http://www.edimax.com/html/english/p...-PRIrouter.htm
http://www.edimax.com/html/english/p...ist-router.htm
that can distribute the load between the two routes.

>The wired VPN link is in
>place and working; two firewall/VPN appliances acting as gateway at the
>internet connection in each building facilitates this.

Maker and model of the firewall/VPN appliances?

>I have
>installed and tested the wireless bridge to the point that I know it is
>able to reliably send packets back and forth between the two buildings.

Maker and model of the wireless bridges?

When you say "redundant VPN", does this mean that you have a VPN
running over the wireless bridge?

>Now I need to connect this bridge into the networks at each building
>so it can be used for traffic. The internal networks at each site are
>different subnets (192.168.1.0/24 and 192.168.2.0/24). What would be
>the best approach to accomplish this?

That depends if you want to have both paths distribute the traffic or
if you want to just use the wireless as a backup. My guess(tm) is
that the bandwidth of the wireless is much higher than your (telco???)
wired connection and should be considered the primary path, not the
backup. If there's more than about a 10:1 ratio in available
bandwidth, I wouldn't bother trying to load balance the two routes. If
they're equal, then load balancing makes sense.

Fail over is easy enough. If the VPN routers being used for both the
wireless and wired connections can do RIP-2, then simply assign a
"cost" to the path and the routers will do the rest. Some model
routers also have built in fail over features.

I'm not sure how I would impliment load balancing. Probably with a
dedicated load balancing router. However, I couldn't find one that
also can play VPN router. This may take two boxes which seems a bit
too complicated. Dunno.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

I don't need to use both simultaneously; I just need to keep both in
place so that in the event of failure a connection will be maintained.
You are correct that the Wireless has much higher bandwidth than the
current wired VPN link; hence I would like to make the wireless the new
primary connection, and have the wired VPN be the secondary.

Currently I have a Firebox X700 at one site and a Linksys BEFVP41 at
the other. These are functioning perfectly as far as being the
internet gateway and VPN termination points for each network.

Yes, it is necasary to run the wireless connection through a VPN tunnel
as well due to a need for high security. We are using WPA as well
between the two wireless bridge devices.

The wireless bridge devices are TrendNet TEW-413APBO, connected to
14dbi directional antennas (TEW-OA14DK). The wireless connection is
working well over a roughly 3000 foot distance with line of sight.

In summary, I don't need need load balancing, simply two paths so that
connections can fail over in the event of any problems on one or the
other. Somehow configuring the system so that the wireless bridge can
pass packets between the two different IP networks. And the ability to
have a gateway to gateway style VPN tunnel encapsulating all data going
across the wireless connection.

On Wed, 10 May 2006 08:11:57 -0700, Jeff Liebermann <(E-Mail Removed)> wrote:


~ >Now I need to connect this bridge into the networks at each building
~ >so it can be used for traffic. The internal networks at each site are
~ >different subnets (192.168.1.0/24 and 192.168.2.0/24). What would be
~ >the best approach to accomplish this?
~
~ That depends if you want to have both paths distribute the traffic or
~ if you want to just use the wireless as a backup. My guess(tm) is
~ that the bandwidth of the wireless is much higher than your (telco???)
~ wired connection and should be considered the primary path, not the
~ backup. If there's more than about a 10:1 ratio in available
~ bandwidth, I wouldn't bother trying to load balance the two routes. If
~ they're equal, then load balancing makes sense.
~
~ Fail over is easy enough. If the VPN routers being used for both the
~ wireless and wired connections can do RIP-2, then simply assign a
~ "cost" to the path and the routers will do the rest. Some model
~ routers also have built in fail over features.
~
~ I'm not sure how I would impliment load balancing. Probably with a
~ dedicated load balancing router. However, I couldn't find one that
~ also can play VPN router. This may take two boxes which seems a bit
~ too complicated. Dunno.

Cisco routers could handle this. With a mindboggling variety of methods and
options. Very likely you would see some useful suggestions for how best
to do this at comp.dcom.sys.cisco.

Aaron

(E-Mail Removed) hath wroth:

>I don't need to use both simultaneously; I just need to keep both in
>place so that in the event of failure a connection will be maintained.
>You are correct that the Wireless has much higher bandwidth than the
>current wired VPN link; hence I would like to make the wireless the new
>primary connection, and have the wired VPN be the secondary.

>Currently I have a Firebox X700 at one site and a Linksys BEFVP41 at
>the other. These are functioning perfectly as far as being the
>internet gateway and VPN termination points for each network.

The Firebox X700 supports BGP, OSPF, and RIP-2.
The BEFVP41 supports RIP-1 and RIP-2.
So far so good.

>Yes, it is necasary to run the wireless connection through a VPN tunnel
>as well due to a need for high security. We are using WPA as well
>between the two wireless bridge devices.
>
>The wireless bridge devices are TrendNet TEW-413APBO, connected to
>14dbi directional antennas (TEW-OA14DK). The wireless connection is
>working well over a roughly 3000 foot distance with line of sight.

http://www.trendnet.com/products/TEW-413APBO.htm
No routing protocols supported because these are a wireless bridge,
not a router. So, where are the VPN router on the wireless link? You
said:
"... it is necessary to run the wireless connection through
a VPN tunnel"
That requires VPN routers. Maker and model?

>In summary, I don't need need load balancing, simply two paths so that
>connections can fail over in the event of any problems on one or the
>other.

I presume automatic fail over, not manually switched.

>Somehow configuring the system so that the wireless bridge can
>pass packets between the two different IP networks.

Think about the above statement a bit. IP networks work on ISO layer
3. Wireless bridges work on ISO layer 2 and know NOTHING about IP
addresses.

>And the ability to
>have a gateway to gateway style VPN tunnel encapsulating all data going
>across the wireless connection.

Well, that will take two VPN routers. Maker and model?

If the (added) VPN routers on the wireless link support RIP-2, you're
done. Just configure RIP-2 in all your routers and you get something
like fail over. It changes the default route depending on the number
of hops to the gateway.

I tried to find some general info on dynamic routing and RIP-2 but
couldn't find anything directly applicable. I've never tried
fail-over with RIP through two VPN's so I have this nagging feeling
I'm missing something.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Thank you for your assistance. It sounds like what I am missing is the
two additonal routers which would connect to each of the wireless
bridge devices.

Once I connect these two additonal devices, how would I configure them
from an IP view point? Would I connect one side of each to an IP on
the local wired network and then the other side to a new network, like
192.168.3.0/24, which would include these two new routers and the
wireless bridge devices? Then I configure the VPN tunnels to point to
the IP on the "wired side" of each of these routers? With the default
gateways on the client machines pointing to the existing routers (the
internet gateways), how will they know that a second (and less costly)
route to the other internal network exists? Is this where the magic of
RIP-2 comes in?

Sorry for my confusion on the ISO layers; I should have realized the
fact that the bridge devices don't care about IPs, hence the reason I
need the two additional routers so that routing can occur between the
two seperate IP networks.

As far as RIP-2, if anyone knows what configuration may be required I
would apreciate the info. The linksys box has a control that must be
selected defining wether its Dynamic Routing is in "gateway" or
"router" mode...? The watchgaurd has the ability to include some kind
of configuration file for RIP; I will try to dig through my
documentation more to further understand this.