Some of you might remember I posted on here a while ago regarding using Cisco 17xx series routers for VPN. The client decided that was too expensive so I’m going to use Linksys RV0x2 series VPN routers instead. I'm looking for some basic setup help from anyone with hands on experience with these devices. I've used Linksys consumer stuff before BEFRS41 etc, and Cisco 26xx, 25xx devices but never for VPN via IPSEC tunnels.

Here's the setup; I want to connect two sites together. One site is a WAREHOUSE with only 5 clients they require use of an application that can be run from a mapped network drive, the application interfaces with a Microsoft SQL database running on a Win2K domain controller at the MAIN OFFICE. The MAIN OFFICE has Cable and the WAREHOUSE has DSL both are static ips. I would like to use VPN to accomplish mapping the network drive.

Here are my questions;

To create the IPSEC tunnel between the two sites do I require an IPSEC endpoint capable router at each end? if so do I have to buy TWO RV042's I was thinking I could connect the Win2k's 2nd nic to the public internet , and create an IPSEC policy / config at the to match the IPSEC

I assume that with a router to router VPN tunnel that no VPN client software is required? the main office will still require internet access, how will the new VPN router affect this? Will it send all traffic across the VPN.

Right now I have not purchased anything. If there is anymore info required let me know, I’m still in the high level planning stages at this point. But I’m keen to keep the budget within $1000 Canadian.

Any help appreciated

thanks in advance

Just a clarifying question... if the budget is 1000 canadian or under, why does the client consider the 1700 series too expensive? Was there a certain model you were considering? There seem to be alot of 1700 series on ebay for 150-200. I don't have any experience with the 1700's though, so I don't know if they're any good or not.
The reason I am asking is, while I am certainly no VPN expert, our security guys at work have told me that the branch to branch tunnels require more robust hardware than single user tunnels. On the other hand, we have alot of them, so maybe with just 1 it wouldn't be an issue.
I believe 2k server can handle vpn. I know 2k3 can. The question really is, do you want to expose your domain controller directly like that? I would think it would be generally advised that you not, and I think that the security and peace of mind would be worth spending the money for another device at HQ.

Just a clarifying question... if the budget is 1000 canadian or under, why does the client consider the 1700 series too expensive? Was there a certain model you were considering? There seem to be alot of 1700 series on ebay for 150-200.


sorry i should have been more specific, it's a 1711 or 1712 i'm looking for, or maybe a 1760, these all retail for over 1000$ after you add the WIC cards and IOS version that you need, the regular 1700 series soho broadband routers are cheap


The reason I am asking is, while I am certainly no VPN expert, our security guys at work have told me that the branch to branch tunnels require more robust hardware than single user tunnels. On the other hand, we have alot of them, so maybe with just 1 it wouldn't be an issue.


i've never done a router to router tunnel before, can you answer me this...do the clients at branches require any VPN software? or is it transparent?? that's one of the questions i have yet to get answered in my research , and i'm aiming towards a router tunnel to router tunnel setup so...that would be great if you could find that out for me


I believe 2k server can handle vpn. I know 2k3 can. The question really is, do you want to
expose your domain controller directly like that? I would think it would be generally advised that you not, and I think that the security and peace of mind would be worth spending the money for another device at HQ.


2k can for sure via RRAS, i would prefer 2k3 if he had it, but doesn't i'm not keen about exposing 2k to the internet without a router either, well put

sorry i should have been more specific, it's a 1711 or 1712 i'm looking for, or maybe a 1760, these all retail for over 1000$ after you add the WIC cards and IOS version that you need, the regular 1700 series soho broadband routers are cheap


Ahh, ok, that makes sense. I did see a 1760 on ebay, it was at 800 or so, and its used.



i've never done a router to router tunnel before, can you answer me this...do the clients at branches require any VPN software? or is it transparent?? that's one of the questions i have yet to get answered in my research , and i'm aiming towards a router tunnel to router tunnel setup so...that would be great if you could find that out for me


Totally transparent, at least the way we do it (I don't configure the VPN tunnels, but I do work on them and troubleshoot them). The tunnels hang out, ready for action whenever anyone wants to send traffic across them. We do not have them go down when the link is idle and then come back up when traffic triggers them, which I believe is an option.

From something you said earlier:


I assume that with a router to router VPN tunnel that no VPN client software is required? the main office will still require internet access, how will the new VPN router affect this? Will it send all traffic across the VPN.


Are the warehouse clients using public or private IPs (guessing private). Are they on a different network than the main office IP space wise? The easiest way to do this is say make the HQ on a 172.16.x.x setup, with the warehouse at 192.168.1.x sort of config. Then you put static routes on your routers pointing anything 172.16.0.0/16 for the warehouse across the VPN to HQ, and anything 192.168.1.0/24 for the office across the VPN to the warehouse. All other traffic going to public IPs should continue to go out your internet link.

Ahh, ok, that makes sense. I did see a 1760 on ebay, it was at 800 or so, and its used.


still a price premimum on them as they are for enterprise setups


Totally transparent, at least the way we do it (I don't configure the VPN tunnels, but I do work on them and troubleshoot them). The tunnels hang out, ready for action whenever anyone wants to send traffic across them. We do not have them go down when the link is idle and then come back up when traffic triggers them, which I believe is an option.


excellent that's exactly what i was hoping for, thanks very much for answering that question


Are the warehouse clients using public or private IPs (guessing private). Are they on a different network than the main office IP space wise? The easiest way to do this is say
make the HQ on a 172.16.x.x setup, with the warehouse at 192.168.1.x sort of config.


right now no IP addressing has been setup for the warehouse clients the computers there don't even have monitors yet! but i'll follow your suggestions as for setting up the address space on Class B and Class C private (or Class A) and then route between them, i've read in other online articles this is the way to go about and not have them on the same IP address range or even subnet and it can cause problems, i'm glad you confirmed it


Then you put static routes on your routers pointing anything 172.16.0.0/16 for the warehouse across the VPN to HQ, and anything 192.168.1.0/24 for the office across the VPN to the warehouse. All other traffic going to public IPs should continue to go out your internet link.

ahh good stuff, i'm well farmilliar with static routes from my cisco CCNA course this year, i'll only need to add them on the win2k server for the main office site as the other clients don't need access to the warehouse and warehouse doesn't need access to them..

this should do it i reckon when it's all setup

route add -p 172.16.1.0 mask 255.255.255.0 *PUBLIC IP HERE*

Do you know if the Linksys RV042 otherwise functions as a normal internet NAT router? I'm asking because I will be plugging in the main office clients into it as well, for regular internet access, i assume that the RV042 router can provide normal NAT internet services to clients outside of IPSEC tunnel it has to the warehouse site...

thanks very much for your help and suggestions

ahh good stuff, i'm well farmilliar with static routes from my cisco CCNA course this year, i'll only need to add them on the win2k server for the main office site as the other clients don't need access to the warehouse and warehouse doesn't need access to them..

this should do it i reckon when it's all setup

route add -p 172.16.1.0 mask 255.255.255.0 *PUBLIC IP HERE*


You shouldn't need to put any static routes on the server. Put them on the routers (I may have misunderstood you, and this is what you intended). The server is forwarding all of its non internal traffic to that router, right?
Is the warehouse going to need internet traffic?


Do you know if the Linksys RV042 otherwise functions as a normal internet NAT router? I'm asking because I will be plugging in the main office clients into it as well, for regular internet access, i assume that the RV042 router can provide normal NAT internet services to clients outside of IPSEC tunnel it has to the warehouse site...

thanks very much for your help and suggestions

I would imagine that it functions as a normal NAT router. It looks like they intend it as a sort of all in one SOHO type of VPN unit. I would recommend buying something like this somewhere you can return it easily, like a retail store or network hardware vendor. You may pay a bit more, but returning things to online can be a real pain, and this is definately something you'll want to try out and make sure its working for you correctly.

I would get the pair of them and see if you can set them up in a test situation, like maybe at your place and a friends place that has broadband. This is why: with the lower end SOHO equipment I haven't seen the level of granualar configuration that is good for a b2b VPN config, such as routing some traffic over the tunnel and some not. The ones I have used seem more intended for remote individual user connections than branch tunnels. Make sure you can specify what networks are routed over the tunnel, and that all other traffic simply goes to the internet.

Is the warehouse going to need internet traffic?


nope, just access to the main office server, easy enough


I would recommend buying something like this somewhere you can return it easily, like a retail store or network hardware vendor.


yeah the cats were buying from won't let us return which is a pain but at this point, i'm near sure these devices will do what we need them to..


I would get the pair of them and see if you can set them up in a test situation, like maybe at your place and a friends place that has broadband. This is why: with the lower end SOHO equipment I haven't seen the level of granualar configuration that is good for a b2b VPN config, such as routing some traffic over the tunnel and some not.


that's exactly what me and my biz parter are going to do intially, gonna set up a tunnel between my home network and his, good advice right?!


The ones I have used seem more intended for remote individual user connections than branch tunnels. Make sure you can specify what networks are routed over the tunnel, and that all other traffic simply goes to the internet.

cisco or sonicwall, or someone else? i'm interested to know what other people are using for their VPN solutions