Cisco RV130W site-to-site VPN within one private network

[Czesław Liebert]

Here's the scenario:

We have two offices O1 and O2. O1 has internet access, O2 has none. We managed to get one of the local ISPs to join them using optical fiber, but it does not go straight from O1 to O2, but from O1 to ISP and then from ISP to O2. The ISP has separated two ports on his switch from the rest of his network and made that "tunnel" transparent in such a way that if I connect the lan cable from media converter at O1 to that office's network and do the same at O2 I get one private network with the same subnet with O2 using internet connection from O1 - the locations are bridged. However, my boss came up with the idea that we are to have a secure connection between those points so that the ISP cannot peep inside our network.

I thought that creating a VPN site to site tunnel would be a good idea. I have two RV130W at disposal and am in doubt. Since the tunnel is transparent and has no IP address of its own how am I to set up the WAN ports on those RVs? I can assign them WAN IPs but what with Gateways’ IPs? Another thing is, how to make O2 use the gateway of O1 to have internet access since the subnets have to be different in those two locations when using VPN? Is such scenario even possible with VPN? :SIGH:

Help! Anybody!

 

[System Error Message]

There are much better options than VPNs. Because the 2 sites are bridged(layer 2 or layer 1) you can create a tunnel instead of a VPN. Unless you use the very expensive cisco the cisco RV series have limited functionality in this manner. While i would obviously recommend mikrotik my reason for suggesting it is because it has many options you can use in creating an encrypted tunnel over layer 2 in which case the IP addresses are not important since the tunnel is done in layer 2 or layer 3 if you want with the kind of encryption you want.
http://wiki.mikrotik.com/wiki/Manual:Interface shows a bunch of features supported in this case and examples. If your ISP has bridged 2 ports than you should have wirespeed bandwidth between sites in which case you will either need a powerful CPU to handle the VPN speed even to access internet from one site so using a tunnel is a much better option. Some routerboards especially PPC and TILE based one also include hardware encryption acceleration.

Configuring this would be much easier if you drew diagrams of how you want your networks to function. If using a layer 2 tunnel you can configure your primary router to handle all the DHCP and NAT work and be the gateway. In order for this to work properly the 2nd router would need a static ip address. Im not sure if its possible with the CISCO RV series but in routerOS you can configure the ports any way you like and switch or bridge them. When using routerOS all you would have to do is create an encrypted tunnel over an unswitched ethernet port connected to the media converter (or you can use an SFP interface instead) and bridge the tunnel to a switch/switched port. The only way this will from routerOS is if both sites are using routerOS or one site uses routerOS while the other uses a router that supports the protocol from routerOS you want to use.

Routerboards perform layer 2 much faster, for example MIPS based devices can perform gigabit L3 routing and L2 bridging but their speeds are only within the hundreds of Mb/s for NAT. If you dont want to spend much consider checking the MIPS CPU model of a routerboard to see the type and availability of hardware encryption if present which would require some research since it is unlikely to be mentioned on the routerboard website. They also have a PPP server scanner so if you created a PPP server it will be searchable and you can connect to it from the other site just by searching it.

The cisco RV series are basically Cisco's consumer router variant unlike their higher end more expensive ones that are configurable like routerOS and Ubiquiti. The higher end Cisco's also have a lot more performance too to handle the configurability and features but they really cost a lot more.