VPNs between sites?

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
Any easy way to do this?

Basically I've got a mix of some good (Cisco) routers and some cheapie ones (Netopia, etc)... haven't gotten the VPNs to play well between those.


So, is there any hardware VPNs I can stick on the inside of each network to connect them all in to the HQ network?
What works well/easy/simple?
 
Getting different brands of devices to play nicely for VPNs can be tricky. The logging capabilities of the devices usually will guide you in the right direction to resolving setup issues, but every brand/device has its quirks.

If at all possible, I try to stick to the same brand. It may mean spending a little bit more, but it is usually worth it with the savings in time spent to set them up.

That being said, I like Cisco ASA devices for business-to-business connections. If you ever need to connect to a third party, the Cisco devices seem to play well with most everything. But, I have used pretty much all of the major brands to accomplish this goal as well.
 
I use a Netgear FVX538 at my main office and have FVS114's at all of our remote sites.

The VPN works great and is pretty stable.

I am quite satisfied by this setup.
 
i like working with the juniper netscreen firewall/vpn devices. i've used most of the range right from the baby 5gt up to the isg2000. hankering after getting my hands on one of the newer ssg devices too. they are a doddle to setup, seem to work very well, and in my experience are very reliable pieces of equipment.
 
Budget line..the Linksys/Cisco RV0 series does pretty well. The occasional reboot to bring the tunnel back up.

Getting more expensive...Sonicwall and Juniper appliances. Rock solid...pricey

Access to any older hardware? Can do some *nix distro routers...so basically a cost of .."free".
 
easiest would be to setup Cisco EZ-VPN Server at your home base and then configure the rest of the devices as EZ-VPN Clients. You can buy Cisco hardware VPN clients like the 3002 for cheap on the ebay but they are discontinued. Or you can buy some cheap ASA5505s for the branch offices and just use those for the hardware VPN client, or replace your firewall, too.
 
How would all of these work INSIDE another network?

Serving 2-3 clients at each remote location, buying all-cisco routers isn't the best option as far as cost effectiveness goes.

However if there was a device I can stick inside each network, point them each to the IP of the HQ... That'd be ideal...
 
that's what the EZ-VPN is for. You set an outside port on your internet switch, inside port to your LAN, setup routes on your routers to point the remote network to the VPN concentrator. This would be assuming you have an extra public IP for the remote sites. I suppose you could do some static NAT tranlations for the VPN device to sit behind your internets router . . .
 
I've got an 11 node stable VPN set up between a PIX506E at the corp office and a mix of older Linksys BEFVP41's and newer Linksys RV082's. **knock on wood** It's been almost bulletproof for the past 3.5 years. If you want some insight or setup help lemme know.
 
LoStMaTt said:
I use a Netgear FVX538 at my main office and have FVS114's at all of our remote sites.

The VPN works great and is pretty stable.

I am quite satisfied by this setup.
Click to expand...

YeOldeStonecat said:
Budget line..the Linksys/Cisco RV0 series does pretty well. The occasional reboot to bring the tunnel back up.
Click to expand...
$180 a bit more reasonable... Looking at the product page though I can't find it... but this works internally to the network as well? Designed as a router- just not quite sure how well it would translate to internal network.

Getting more expensive...Sonicwall and Juniper appliances. Rock solid...pricey

Access to any older hardware? Can do some *nix distro routers...so basically a cost of .."free".
Click to expand...
Like this EX-750 model from Sonicwall?
Don't have that many old PCs laying around...

Captain Colonoscopy said:
easiest would be to setup Cisco EZ-VPN Server at your home base and then configure the rest of the devices as EZ-VPN Clients. You can buy Cisco hardware VPN clients like the 3002 for cheap on the ebay but they are discontinued. Or you can buy some cheap ASA5505s for the branch offices and just use those for the hardware VPN client, or replace your firewall, too.
Click to expand...
Ouch- $350 EACH for ASA5505....

I've got a question though. The HQ router is an 2801 with the security bundle/advanced security thing.

Can this already serve as the endpoint for the HQ office at least? As the server?
 
Hire a consultant.

or

Create a hub and spoke with the HQ (hopefully cisco) terminating all the L2L tunnel's. At the sites that don't have cisco routers to terminate the vpn tunnels, just use a linux box with openswan, it's pretty easy. Draw it out, lab it up and do it.
 
TechieSooner said:
I've got a question though. The HQ router is an 2801 with the security bundle/advanced security thing.

Can this already serve as the endpoint for the HQ office at least? As the server?
Click to expand...

Should be able to. I haven't configured one personally, but from what I'm aware, it will work.
 
if it has the sec package, it can do L2L tunnels and should be sufficient and easy to set up.
 
Captain Colonoscopy said:
If you post a show ver of that router I can tell you whether or not it supports VPN. If it has the right security bundle then yes you can use it as a VPN terminator and setup the EZ-VPN server.

Here's a link to the EZ-VPN stuff on Cisco's site. They even have some configuration examples.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html
Click to expand...

Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(3g), REL
EASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 02:59 by alnguyen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

c2801 uptime is 4 weeks, 1 day, 12 hours, 4 minutes
System returned to ROM by power-on
System image file is "flash:c2801-advsecurityk9-mz.124-3g.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 2801 (revision 7.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1125Z050
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
 
advanced security bundle = you are good to go.

Do you have an active SmartNet on that thing? If so, you can just call Cisco TAC if you have problems configuring the thing and they will walk you through getting it setup or just take control and set it up for you for free. Cisco has some of the best support in the biz . . . of course you pay for it too . . . . :D
 
Captain Colonoscopy said:
advanced security bundle = you are good to go.

Do you have an active SmartNet on that thing? If so, you can just call Cisco TAC if you have problems configuring the thing and they will walk you through getting it setup or just take control and set it up for you for free. Cisco has some of the best support in the biz . . . of course you pay for it too . . . . :D
Click to expand...

OK- so they can all connect to the same VPN configuration?
The router already utilizes one VPN- this won't interfere will it?
 
Got a question about these....

So, the 192.168.1.X networks are all remote.
192.168.0.X is the HQ network.


I'd assume that all traffic that is determined to be on the 192.168.0.X would go through the VPN here.
1) What dictates what is sent through the VPN device and what isn't?
2) What about DNS? Let's say untangle.domain.local is at HQ (for them to release their spam). The problem is the remote network doesn't know what the heck untangle.domain.local is... unless you use DNS. And the only server that knows what that is is the DNS server for the HQ.

Won't I have some DNS issues here? Seems to me almost all the traffic would end up going through the VPN at that point...
 
Each network/subnet connected via the VPN must be unique.

For DNS, if each site has it's own DNS server, it can be configure to forward request for a particular domain to another server.
 
TechieSooner said:
Got a question about these....

So, the 192.168.1.X networks are all remote.
192.168.0.X is the HQ network.


I'd assume that all traffic that is determined to be on the 192.168.0.X would go through the VPN here.
1) What dictates what is sent through the VPN device and what isn't?
Click to expand...

You're getting IP schemes and routing confused. Your FW/Router that controlls the VPN Can ONLY route between subnets. As an example this is how I have my Hub/spoke VPN schemed:

Code: 
Work:
10.0.0.X/24 Main Office
192.168.Y.X/24 (Y=Store Number) 11 Retail Locations - VPN'd to main office

Home network is 192.168.31.X

I assume that you are using 255.255.255.0 for a subnet mask. Again assuming that you want to use a 192.168 network, you'll need to shift the X variable to the left one octet, using 192.168.0.x for the office and 192.168.Y.X, where Y is any number other than 0. The short version is that your remote can't be schemed on the same segment as the office. The router has can distinguish between a 192.168.0.x network and a 192.168.1.x network. Make sense?
 
You must log in or register to reply here.
Back
Top