VPN advice required

[Zero1]

Hi guys. I work for a company that deals with retail/sales. We have 3 sites all running the same software, and currently the sites' networks are operating independently. Lately I have been considering how I could connect all 3 sites so as to be able to take advantage of being able to enquire stock at other sites or to place orders to be despatched directly from another site's stock.

Security is obviously a concern, which is where VPN fits into it, but I have some questions about implementation.

The system we use is very low traffic - it's text/telnet based, so I was hoping to use our existing broadband connections. The 2 main sites are at most, 60 Miles apart, so latency won't be an issue either which is what makes me think we could use our current broadband connections rather than a leased line.

As for the VPN, I am guessing this might be possible to implement at each server, but my idea was to connect the sites by using some VPN capable ADSL modem/routers. I was considering replacing our existing routers with a Linksys WAG54G2 at each site, but they don't support PPTP and I cannot install DD-WRT on them which causes a problem.

I will of course get a static IP for each site, but it may be the case that I can only have one static IP per site, which means I will have to use NAT. I read somewhere that IPSec does not work with NAT - can anyone confirm this? If it does not, then that means I cannot use the stock firmware, and it's not possible to flash DD-WRT onto these either. If I had to, I could get a bunch of WRT54GL and flash with DD-WRT/OpenVPN and plug that into the gateway, but I'd like to avoid the extra clutter/complication and flashing our office equipment in case anything went wrong.

So any suggestions for an ADSL2+ modem/router with PPTP VPN would be appreciated (not just passthrough). It also needs to be wireless (and if there is such a product from Linksys, I'd prefer that). Obviously since we will be buying 3 of them, a cheap price would also be good.

Issues aside, let's say that I was able to ge enough static IP addresses. Is it possible for 2 sites to connect to the same host? What I'm thinking is say site B is the server, would it be possible for site A and site C to both be connected to site B at the same time using VPN? Would it be possible in the stock Linksys firmware, or would it depend on the type of VPN (PPTP or IPSec). In other words, can a VPN enabled router accept 2 different incoming connections at the same time, or am I going to have to find another way?

I am beginning to think it will be easier just to switch ISPs, get a bunch of static IPs and just run the stock Linksys firmware, providing it will do multi site VPN.

Any help would be appreciated as I'm getting pretty confused with all the options now.

Cheers

 

[thiggins]

There are plenty of routers that will handle multiple gateway-to-gateway VPN tunnels. Having static IPs at each site will make setup very easy.

The Linksys RV series is one that people seem to like. It doesn't have a built-in ADSL2+ modem built in, nor does it include wireless. I suggest for widest selection, you use a separate modem, and perhaps the wireless, too.

The NAT/IPsec problem can occur if you have an IPsec client trying to connect behind a NAT router. Since the IPsec tunnels will end at the router, you won't have any issues with NAT and IPsec.

 

[vegastech]

As previously mentioned, I use Linksys a lot of RV042 for my clients.

There are a number of schools of thought on whether an integrated system is better than a bunch of pieces/parts. Personally I like the pieces/parts methodology. It allows me to remove a single device during troubleshooting. If your network is setup in the following configuration you can test the isp and router all day long without affecting the desktops. By that I mean the local computers still have access to the local services (network shares, dbs,etc).

cable modem/dsl modem
|
RV042
|
switch
|
computers, waps, voip etc

As for the whole DD-WRT ideal, while I respect the hacking I would not suggest it for you at this point. It sounds like you are fairly new at implementing VPNs. Don't make your life harder. Get in there and get the job done with the RV042, build your VPNs, spend a season or two troubleshooting the issues that come up. At that point you'd be better prepared for testing the extended features of the DD-WRT boxes. RV042 boxes run about $160 delivered.

Another plus of VPN system is that you can start testing how well VoIP works for your organization. I have setup a couple clients with a low end VoIP Linksys LVS (now Cisco Small Business) system where the main site has the SPA9000 PBX and the remote sites have SPA942 phones hanging off the network. While I 've had good experience with Linksys a VoIP system would work across any VPN system you purchase. Asterik and Trixbox are some open source products that you can also test rather inexpensively.

In addition to VoIP services across your oranization also consider some ideas like time clock software (TimeTrex is a semi-open source product) and portal systems like Liferay/Social Office (also open source). What would be kick-butt is if you could convert your telnet app into a portlet. That way everyone would log into the company's intranet, get company news, use the business apps and it would be a single unified interface for everyone.

Regards,
Rich.

 

[Zero1]

Thanks for the suggestions guys. I think my difficulty with VPN so far is actually understanding it in my own way or in laymens terms. I originally mentioned DD-WRT as part of the cost aspect. If that would have been a viable option, it would have been at a low cost, plus it is familiar to me as I have a WRT54GL at home running DD-WRT (so to some point, experimenting may have been able to be carried out in my own time).

Upon looking into it further, I tried creating a VPN and connecting to it from an XP machine on the same network, just to see what would happen. It didn't authenticate, but it did appear that it was trying to do something. In the router log, it mentioned about a NAT traversal patch, so at least I know a WAG325N will do IPSec with a NAT. I just need to figure out how many simultaneous VPN connections it will support, and I may well be in business. Providing I could set up 2 different VPN connections on this and have 2 different client routers connected at the same time, that is pretty much all I need. I can set up multiple VPNs in the WAG325N, but I still don't know for certain if they will work as I read somewhere in the DD-WRT guide that for multiple tunnels, you need to specify different ports, but in the WAG325N, there is no option to specify other ports (unless it's handled automatically, but I don't know).

That would be ace if the WAG325N would do the trick as it would mean I can resign the crappy "Business Hub" that BT supply (2700HGV) and it's weak butt wireless signal, for something a bit better.

I think the real challenge for me is that keeping the cost down pretty much limits my options, that and the manager is not very technical minded, so it will be hard enough convincing our managers to part with money for sexy new routers to begin with (seeing as the existing ones are still functional, despite them maybe not being able for VPN).

At least at my site, I intend to upgrade our current setup from the supplied ADSL router to an ADSL2+ model for possible future changes or upgrades (it is said that BT will move to ADSL2+ soon, so it would be nice to get the benefit), then I would obviously need the VPN router and a wireless box at the end of that. 3 sets of that (minus a new modem or two) starts to add to the cost and also adds clutter to our very cramped office.

If I were to reduce this setup to 2 components, would I be able to have an ADSL modem/router plugged in to an RV042 and have the server running through the RV042, but wireless clients running on a non-VPN wireless connection? What I am thinking, is the wireless isn't used for sensitive data (pretty much just emailing and browsing), so just have the wireless connected as is, theoretically creating a split tunnel (I think). Would that work? I'm thinking it would look something like this.
http://img33.imageshack.us/img33/9416/43993133.png

Thanks again. I might try to dig up some more info on how the WAG325N handles multiple VPN - so far it's looking promising.

 

[vegastech]

I looked at the image and that won't work. If you use the 2wire for wlan access that means it is the router for the network, not the RV042. With the RV042 (or any other device) not being the router you will not be able to use it for site-to-site VPN. Also, according to the pic, it looks like you are routing in and out of the Unix server - that's not needed. Again, computers, servers, network printers, etc all plug into the switch and the switch plugs into whatever router you put in place.

I'm getting a little lost on the 2nd paragraph. The benefit of any VPN router is that it allows you to join multiple entire networks not individual computers.
So if:
site A = Dallas main site
site B = Los Angeles site
site C = New York site
(this example is analogous to cross country, cross town, cross the world)

Any VPN router will allow you to connect sites B and C to your main site A location. You can also connect sites B and C together but from your info so far there is no need.

Hooking up some RV042s is about the cheapest/most bang for you buck way to go. You could look for some old BEFSX41 on eBay, another option is if you have a few old pentium computers you could also use something like Monowall. There are some others like Swan and OpenVPN but I do not have expereince with them.

While I recognize your enthusiasm and think it is a plus my attitude is more jaded. It is get in there, get it done, get on with something else. The low cost of the RV042 equipment more than makes up for hours/days/weeks of troubleshooting, networks going up and down, and ultimately makes you look better to your manager.

 

[Zero1]

Thanks. I was just trying to think up ways to use as much existing hardware as we can. If I am understanding correctly, I need a modem, an RV042 and a wireless router/access point for this to work. Something like Wireless > RV042 > modem. I was trying to avoid 3 separate devices, but if this is going to be the easiest way, then I think I'm at that point of just going with it.

Also, I did make an error in the topology, I think I was simply confusing myself. Would it make more sense if you moved the server down with the terminals? The physical connection would be that the 3com switch is plugged into the Ethernet socket on the server, and the terminals are connected to the 3com switch too. The 3com switch would then be connected to the RV042, and the RV042 to the 2wire modem.

You're right, and there's nothing wrong with your outlook on the situation. I have a tendency to do things the hard way and use it as a learning process to see what works and what doesn't.

Also is it not possible to have two routers operating together? Maybe what I am doing at home is different (or I am misunderstanding something), but I have a WAG325N providing internet and wireless access (as a router/gateway) and a WRT54GL running DD-WRT connected as a client bridge which provides wired LAN to devices upstairs. It is supposedly set as a router (in that it is set to router mode), but I only ever specify port forwards and any other options on the WAG325N. One down side to this is that the WAG325 sees the devices connected to the WRT54GL as having the same MAC addresses as the WRT.

What I need is something like an RV042 with built in wireless and ADSL, but I doubt such a thing exists, and if it does, it will be pretty pricey.

Thanks again.

 

[vegastech]

The best setup is to plug the server into the same switch as the terminals as you 've described.

Linksys does have a WRV54G which provides wireless and VPN in one box. I personally don't like them though. Mainly because there is no PPTP which gives you a second remote/back door/road warrior access. I've found if my RV042 site-to-site VPN fails I can usually still get in via PPTP and perform a router reboot. Also they are essentially 'last generation' devices and do not have all of the bells and whistles of the RV042 (vlan, higher encryption, not the best but some redundancy/fail over for multiple Internet feeds, etc). You can mix devices and put a RV042 at your main place and WRG54V(s) at some/all remote locations.

RV042(s) are a bit heat sensitive, make sure the environment is not 90F+ for long periods of time. They also seem to need to be rebooted every season or two. There are nicer boxes out there like Sonicwall devices but they get a whole lot pricier (initial costs, on-going firmware upgrades cost, licenses for Internet access, etc.). I'd choose a low end Cisco device before a Sonicwall just because of their on-going costs. I like Linksys for bang vs buck. For bang vs no buck I'd go with Monowall before DD-WRT.

As for putting a router behind a router. Yes, you can do that all day long - for this discussion we are referring to cheapie little $50 routers. The problem that comes up is on the VPN side. The VPN router has to be device connected to the outside world with a public address. You'll need to convert any current dsl routers into bridges (or bridge mode) for any VPN to work.