Virtual Private Networks - NETGEAR SRX5308 Reference Manual

Note: Load balancing is implemented for outgoing traffic and not for
incoming traffic. Consider making one of the WAN port Internet
addresses public and keeping the other one private in order to
maintain better control of WAN port traffic.
Figure 187.

Virtual Private Networks

When implementing virtual private network (VPN) tunnels, you need to use a mechanism for
determining the IP addresses of the tunnel endpoints. The addressing of the firewall's WAN
ports in a dual WAN port auto-rollover or load balancing configuration depends on the
configuration being implemented.
Table 80. IP addressing requirements for VPNs in a dual WAN port configuration
Configuration and WAN IP address
VPN Road Warrior
(Client-to-Gateway)
VPN Gateway-to-Gateway
VPN Telecommuter
(Client-to-Gateway through
a NAT Router)
a. After a rollover, all tunnels need to be reestablished using the new WAN IP address.
For a single WAN gateway configuration, use an FQDN when the IP address is dynamic and
either an FQDN or the IP address itself when the IP address is fixed. The situation is different
in dual WAN port gateway configurations.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Single WAN port
configurations
(reference cases)
Fixed Allowed
(FQDN optional)
Dynamic FQDN required
Fixed Allowed
(FQDN optional)
Dynamic FQDN required
Fixed Allowed
(FQDN optional)
Dynamic FQDN required
Network Planning for Multiple WAN Ports
Dual WAN port configurations
Rollover mode
FQDN required
FQDN required
FQDN required
FQDN required
FQDN required
FQDN required
315
a
Load balancing mode
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
FQDN required