Router to Router VPNs? What Routers?

[TechieSooner]

I've got a Cisco 2801 as my main router at the HQ office, with the security pack on it. I've been using the client VPN software, which works FANTASTIC (only sends traffic that needs to go down the VPN across the VPN). It's just slow as can be. I'd like to run an App across it (installs locally, but would query across VPN) and it takes literally 3 minutes to run the query (Instant on the HQ LAN).

So my question is what kind of router would interface well with this to do some router to router VPNs?
I'd prefer to do it cheaply, as all my remote offices are just little offices. I don't want to pour a ton of money for just a handful of users per office.

I've got about 10 remote offices I need to hook up to HQ.

Also, I love the feature (do not recall what Cisco calls it) that just sends the traffic down the VPN... No need to screw with the access lists and all that.

What do you all suggest?

 

[berky]

what routers do your remote offices have today?

Also, I love the feature (do not recall what Cisco calls it) that just sends the traffic down the VPN... No need to screw with the access lists and all that.

that's just the nature of a client VPN.

 

[TechieSooner]

what routers do your remote offices have today?

Misc ones that I get from ATT when they hook the DSL up. I've tried creating the tunnels with them before but it's just no dice.

that's just the nature of a client VPN.

Do any site to site VPNs work this way too, without having to configure it all manually?

 

[berky]

Misc ones that I get from ATT when they hook the DSL up. I've tried creating the tunnels with them before but it's just no dice.

You might want to look into the ASA 5505. they are the cheapest cisco FW's available, but should be plenty fine if your remote sites are as small as i'm assuming they are. they only cost about $400 a pop with the basic license which includes up to 10 ipsec vpn peers, which you should only need 1 to get back to your headquarters. of course, your HQ vpn will require the ability to have peers with all of your remote sites.

Do any site to site VPNs work this way too, without having to configure it all manually?

no, site-to-site VPNs require some form of match criteria, unless you use a GRE tunnel inside the IPSEC. in that case, you can make your GRE criteria the VPN criteria, and simply route across the GRE to encrypt any traffic. when connecting via client vpn software, the end router gives the client the information it needs to automatically route traffic across that tunnel.


edit: pricing based on Newegg pricing.

 

[swatbat]

You might want to look into the ASA 5505. they are the cheapest cisco FW's available, but should be plenty fine if your remote sites are as small as i'm assuming they are. they only cost about $400 a pop with the basic license which includes up to 10 ipsec vpn peers, which you should only need 1 to get back to your headquarters. of course, your HQ vpn will require the ability to have peers with all of your remote sites.

Yea either look at the ASA or the 871. Either should fit the bill.

 

[TechieSooner]

of course, your HQ vpn will require the ability to have peers with all of your remote sites.

How do you tell? Here's my sh ver

Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(3g), REL
EASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 06-Nov-06 02:59 by alnguyen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

c2801 uptime is 4 weeks, 1 day, 12 hours, 4 minutes
System returned to ROM by power-on
System image file is "flash:c2801-advsecurityk9-mz.124-3g.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 2801 (revision 7.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1125Z050
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

 

[Captain Colonoscopy]

I would go with either the ASA5505 or the 871 routers. Nice thing is if your remote sites don't have static IPs you could setup the 2801 to be an EZ VPN server and the remote sites be EZ VPN clients. I've done this a few times before and it works pretty slick, you just punch in the IP of the EZ VPN server and the clients connect and pull their tunnel configs from the server and the tunnel comes up.

You should be fine on the licensing for your 2801 since you have the VPN module.

The term you are looking for is "split-tunneling" on the VPN Client.

The Site-to-Site VPN tunnels you can either setup to only tunnel and protect "intersting" traffic or you can force them to tunnel all traffic to the HQ. That would be useful if you wanted to use like a central URL filter or something.

 

[killerasp]

the cheapest ASA5505 is still pretty pricey. albeit, its a good option if you don't mind spending alot of money.

check out the cisco 500 series:http://www.cisco.com/en/US/products/ps9305/index.html

IMO, if you never used a cisco firewall before, it might take some getting used to when first using one. the configuration is a bit different than a cisco router/ios device but not too much different.

 

[YeOldeStonecat]

Cheaply, the Linksys/Cisco RV0 line does IPSec VPN tunnels. They work fine with Cisco units on the other end.

 

[Captain Colonoscopy]

Cheaply, the Linksys/Cisco RV0 line does IPSec VPN tunnels. They work fine with Cisco units on the other end.

I just setup a site-to-site vpn using an RV082 and an RV042 and can confirm they work well. Client didn't have the cash for the ASA solution. This could definitely work for your remote sites.

 

[TechieSooner]

The term you are looking for is "split-tunneling" on the VPN Client.

The Site-to-Site VPN tunnels you can either setup to only tunnel and protect "intersting" traffic or you can force them to tunnel all traffic to the HQ. That would be useful if you wanted to use like a central URL filter or something.

That's exactly what I was looking for.

So in the EasyVPN Server, I can use Split Tunneling with say, the RV0?

Cheaply, the Linksys/Cisco RV0 line does IPSec VPN tunnels. They work fine with Cisco units on the other end.

http://www.cdw.com/shop/products/default.aspx?EDC=557414
CDW pricing I know, so obviously I could get cheaper, but this is more the range I was looking for. Most sites would be fine with the 4-port, but I'd just allow for expansion a little bit.
Assuming it does QoS, NAT and all that.
Would the RV0 series work with the EasyVPN Client/Server?

 

[Captain Colonoscopy]

I don't know if the rv0 firewalls will do the easyvpn stuff. I am pretty sure you need to have a cisco firewall, router or a vpn3000 to be the client.

should be just fine for manual site-to-site vpn tunnels though.

 

[TechieSooner]

I don't know if the rv0 firewalls will do the easyvpn stuff. I am pretty sure you need to have a cisco firewall, router or a vpn3000 to be the client.

should be just fine for manual site-to-site vpn tunnels though.

Let me ask this: why are the client VPNs so freaking slow? Is it the "EasyVPN" stuff or is it just the fact each client is authenticating and such?

 

[Captain Colonoscopy]

Let me ask this: why are the client VPNs so freaking slow? Is it the "EasyVPN" stuff or is it just the fact each client is authenticating and such?

VPN tunnel speed is dependent on many factors. How fast it the main office connection up/down? How fast is the client connection up/down? If you only have 800Kbps upstream at the main office then that is the max you can download from it on the other end of the tunnel. If you have a lot of web traffic going on as well then that will further degrade the performance of the VPN.

 

[TechieSooner]

VPN tunnel speed is dependent on many factors. How fast it the main office connection up/down? How fast is the client connection up/down? If you only have 800Kbps upstream at the main office then that is the max you can download from it on the other end of the tunnel. If you have a lot of web traffic going on as well then that will further degrade the performance of the VPN.

I guess I should have asked, is the site to site faster than the client to server? I'd assume so.

800K is the max I'd get with all connections considered, but to run the simple query that it needs to run takes forever even.

 

[Captain Colonoscopy]

I guess I should have asked, is the site to site faster than the client to server? I'd assume so.

800K is the max I'd get with all connections considered, but to run the simple query that it needs to run takes forever even.

I honestly don't know for sure. I doubt there would be a perceivable performance increase from one to the other. Basically just overhead would be the only difference.

What application are you trying to run over a VPN? You simply aren't going to get acceptable performance unless you have like a 10Mbps up/down connection at both sites. Have you thought about Terminal Services?

 

[YeOldeStonecat]

I guess I should have asked, is the site to site faster than the client to server? I'd assume so.

Most of the time..."Yes"
.
Software VPN clients have more overhead, they're less efficient. When done in hardware..it's all....well, up to the routers CPU and memory...it's dedicated hardware. The difference in performance varies a lot, but when comparing same endpoint router, to another endpoint router or software VPN client on the same bandwidth...you'll usually find the dedicated hardware does it better. You also usually have more options with dedicated hardware on each end.

 

[TechieSooner]

Most of the time..."Yes"
.
Software VPN clients have more overhead, they're less efficient. When done in hardware..it's all....well, up to the routers CPU and memory...it's dedicated hardware. The difference in performance varies a lot, but when comparing same endpoint router, to another endpoint router or software VPN client on the same bandwidth...you'll usually find the dedicated hardware does it better. You also usually have more options with dedicated hardware on each end.

Yea, and right now the main thing I'd use all those features for is the VPN.

What application are you trying to run over a VPN? You simply aren't going to get acceptable performance unless you have like a 10Mbps up/down connection at both sites. Have you thought about Terminal Services?

I guess that's true. May just need to stick with the software VPN and not try running apps across it.

 

[Captain Colonoscopy]

you could use the hardware vpn, just instruct the users to use TS or something. You could always setup a terminal server at the main office that everyone dials into. I'm sure you have a few thousand dollars laying around that you need to burn

 

[TechieSooner]

I'm sure you have a few thousand dollars laying around that you need to burn

Yea........... LMAO. Not at this point... Might work into next year's budget.

 

[slowbiznatch]

The Remote App stuff in Server 2008 Terminal Services is pretty nice. I just setup a bunch of my sites to use it, but it definitely isn't cheap.

For hardware VPNs, we use a Cisco 2801 with about 15 Cisco 871 routers. The solution works very well with either static or dynamic public addresses.

 

[marley1]

^ i plan to use Remote App with my docking station client