VPNs between sites?

Discussion in 'Networking & Security' started by TechieSooner, Jun 3, 2008.

  1. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    Any easy way to do this?

    Basically I've got a mix of some good (Cisco) routers and some cheapie ones (Netopia, etc)... haven't gotten the VPNs to play well between those.


    So, is there any hardware VPNs I can stick on the inside of each network to connect them all in to the HQ network?
    What works well/easy/simple?
     
  2. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    Getting different brands of devices to play nicely for VPNs can be tricky. The logging capabilities of the devices usually will guide you in the right direction to resolving setup issues, but every brand/device has its quirks.

    If at all possible, I try to stick to the same brand. It may mean spending a little bit more, but it is usually worth it with the savings in time spent to set them up.

    That being said, I like Cisco ASA devices for business-to-business connections. If you ever need to connect to a third party, the Cisco devices seem to play well with most everything. But, I have used pretty much all of the major brands to accomplish this goal as well.
     
  3. LoStMaTt

    LoStMaTt 2[H]4U

    Messages:
    3,182
    Joined:
    Feb 26, 2003
    I use a Netgear FVX538 at my main office and have FVS114's at all of our remote sites.

    The VPN works great and is pretty stable.

    I am quite satisfied by this setup.
     
  4. atomiser

    atomiser Gawd

    Messages:
    619
    Joined:
    Jun 12, 2004
    i like working with the juniper netscreen firewall/vpn devices. i've used most of the range right from the baby 5gt up to the isg2000. hankering after getting my hands on one of the newer ssg devices too. they are a doddle to setup, seem to work very well, and in my experience are very reliable pieces of equipment.
     
  5. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    Budget line..the Linksys/Cisco RV0 series does pretty well. The occasional reboot to bring the tunnel back up.

    Getting more expensive...Sonicwall and Juniper appliances. Rock solid...pricey

    Access to any older hardware? Can do some *nix distro routers...so basically a cost of .."free".
     
  6. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    easiest would be to setup Cisco EZ-VPN Server at your home base and then configure the rest of the devices as EZ-VPN Clients. You can buy Cisco hardware VPN clients like the 3002 for cheap on the ebay but they are discontinued. Or you can buy some cheap ASA5505s for the branch offices and just use those for the hardware VPN client, or replace your firewall, too.
     
  7. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    How would all of these work INSIDE another network?

    Serving 2-3 clients at each remote location, buying all-cisco routers isn't the best option as far as cost effectiveness goes.

    However if there was a device I can stick inside each network, point them each to the IP of the HQ... That'd be ideal...
     
  8. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    that's what the EZ-VPN is for. You set an outside port on your internet switch, inside port to your LAN, setup routes on your routers to point the remote network to the VPN concentrator. This would be assuming you have an extra public IP for the remote sites. I suppose you could do some static NAT tranlations for the VPN device to sit behind your internets router . . .
     
  9. FlatLine84

    FlatLine84 [H]ard|Gawd

    Messages:
    1,521
    Joined:
    Apr 7, 2005
    Smoothwall's solution is retardedly simple to setup.
     
  10. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    I've got an 11 node stable VPN set up between a PIX506E at the corp office and a mix of older Linksys BEFVP41's and newer Linksys RV082's. **knock on wood** It's been almost bulletproof for the past 3.5 years. If you want some insight or setup help lemme know.
     
  11. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    $180 a bit more reasonable... Looking at the product page though I can't find it... but this works internally to the network as well? Designed as a router- just not quite sure how well it would translate to internal network.

    Like this EX-750 model from Sonicwall?
    Don't have that many old PCs laying around...

    Ouch- $350 EACH for ASA5505....

    I've got a question though. The HQ router is an 2801 with the security bundle/advanced security thing.

    Can this already serve as the endpoint for the HQ office at least? As the server?
     
  12. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    Hire a consultant.

    or

    Create a hub and spoke with the HQ (hopefully cisco) terminating all the L2L tunnel's. At the sites that don't have cisco routers to terminate the vpn tunnels, just use a linux box with openswan, it's pretty easy. Draw it out, lab it up and do it.
     
  13. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    Should be able to. I haven't configured one personally, but from what I'm aware, it will work.
     
  14. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    if it has the sec package, it can do L2L tunnels and should be sufficient and easy to set up.
     
  15. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    OK- so the Cisco devices would be easy enough to setup inside each network?
     
  16. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
  17. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(3g), REL
    EASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Mon 06-Nov-06 02:59 by alnguyen

    ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

    c2801 uptime is 4 weeks, 1 day, 12 hours, 4 minutes
    System returned to ROM by power-on
    System image file is "flash:c2801-advsecurityk9-mz.124-3g.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.

    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email to
    export@cisco.com.

    Cisco 2801 (revision 7.0) with 234496K/27648K bytes of memory.
    Processor board ID FTX1125Z050
    2 FastEthernet interfaces
    1 Virtual Private Network (VPN) Module
    DRAM configuration is 64 bits wide with parity disabled.
    191K bytes of NVRAM.
    62720K bytes of ATA CompactFlash (Read/Write)

    Configuration register is 0x2102
     
  18. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    advanced security bundle = you are good to go.

    Do you have an active SmartNet on that thing? If so, you can just call Cisco TAC if you have problems configuring the thing and they will walk you through getting it setup or just take control and set it up for you for free. Cisco has some of the best support in the biz . . . of course you pay for it too . . . . :D
     
  19. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    OK- so they can all connect to the same VPN configuration?
    The router already utilizes one VPN- this won't interfere will it?
     
  20. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    yeah, you can have multiple LAN2LAN tunnels setup and working. Just need to make sure they are setup right. :D
     
  21. TechieSooner

    TechieSooner [H]ardness Supreme

    Messages:
    7,601
    Joined:
    Nov 7, 2007
    Got a question about these....

    So, the 192.168.1.X networks are all remote.
    192.168.0.X is the HQ network.


    I'd assume that all traffic that is determined to be on the 192.168.0.X would go through the VPN here.
    1) What dictates what is sent through the VPN device and what isn't?
    2) What about DNS? Let's say untangle.domain.local is at HQ (for them to release their spam). The problem is the remote network doesn't know what the heck untangle.domain.local is... unless you use DNS. And the only server that knows what that is is the DNS server for the HQ.

    Won't I have some DNS issues here? Seems to me almost all the traffic would end up going through the VPN at that point...
     
  22. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    Each network/subnet connected via the VPN must be unique.

    For DNS, if each site has it's own DNS server, it can be configure to forward request for a particular domain to another server.
     
  23. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    You're getting IP schemes and routing confused. Your FW/Router that controlls the VPN Can ONLY route between subnets. As an example this is how I have my Hub/spoke VPN schemed:

    Code:
    Work:
    10.0.0.X/24 Main Office
    192.168.Y.X/24 (Y=Store Number) 11 Retail Locations - VPN'd to main office
    
    Home network is 192.168.31.X
    I assume that you are using 255.255.255.0 for a subnet mask. Again assuming that you want to use a 192.168 network, you'll need to shift the X variable to the left one octet, using 192.168.0.x for the office and 192.168.Y.X, where Y is any number other than 0. The short version is that your remote can't be schemed on the same segment as the office. The router has can distinguish between a 192.168.0.x network and a 192.168.1.x network. Make sense?