• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Question's on VPN's

Instead of getting a dedicated T1 line between 2 branch offices, I was thinking of getting cheaper internet T-1 lines in each office and setting up a VPN between them. Since I've never dealt with VPN my questions are:

1. What equipment do I need?  Can it be setup just using cisco routers? Is it cheaper to use any other type of equipment?

2. Can the T-1 at each site be used for regular internet connectivity as well as the VPN at the same time?

3. Are VPN's pretty complicated to setup for a begginer/intermediate Cisco tech person?  

4. How do you make sure that the VPN is secure?

  • 3
  • 2
  • 2
  • +3
1 Solution

1. I used two SonicWall soho3 routers to connect an edmonton and calgary office with VPN, works well.  The soho3's or similar might be cheaper then cisco routers.  http://www.sonicwall.com

2. Yes, normally the router you use for VPN also have either IP forwarding, Network Address translation, and DHCP server, all of which you can setup internet access with.

3. Not as complicated as I thought.  As long as you have the routers configured to use the same protocols, and the same secret number, it should be a snap to set up.

4. When you set up your VPN, you have the options of using encryption with it.  Using a low level group 2 encryption should suffice for anyone's needs, but remember encryption adds to the overhead processing of the router and may slow down network traffic.  As well, make sure your router's access tables are open for VPN traffic (specified by the one source IP), but is closed off for everything else.

Hope this helps!
Any Cisco router running IOS can be a VPN host. On the client side you could use the Cisco VPN 3002 hardware client, it costs about $900.
If you ahve a router with IOS that also could be your client hardware.
What is your routers model?
If security is an issue, I would suggest cisco.
You can have a T1 line to the main office to a 1701 router. get your internet on one interface and setup a tunnel to your branch office on the other interface using a dlci number on the the interface. Using an 805 router at the remote location. remember, the T1 line has 24 channels, each 64k. You pay so much for each channel.
You can control internet access from the home office and supply it to the remote location.

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

If you're after a pretty easy budget option (but still secure) this is how we did it:

We used Smoothwall (http://smoothwall.org/) which was a free Linux distro that took about 30 minutes to install and turned a couple of old Pentium 2s into NATing Firewalls. As well as offering VPN through a simple web interface it offers Squid web caching, Snort Intrusion Detection, DNS caching, DHCP server, etc.

1: We used two old PIIs, 128MB of RAM handles our 1Mb ADSL without breaking a sweat.

2: Yep, and fast and safe too thanks to the firewall and caching.

3: Not really, a simple web interface gives you a few simple options. Set IP ranges, shared secret etc and you're done. Help is available too.

4: That's a little tricky to answer, but if the connection is working then it's encrypted. Smoothwall uses the trusted FreeSwan implementation.

Hope that helps.
correction on that 1701 router. Should be 1721.
Have 5 remote sites piped into the 1721 on one interface(subinterfaces).
BreezyAuthor Commented:
The ISP we are using, supplies cisco routers.  Not sure which type yet.  One has to be set up as a host and another as a client? Will I need to setup a firewall too?
BreezyAuthor Commented:
Ok, some more info.  The ISP supplies and sets up using basic Cisco 2600 routers.  But they offer no other form of security.  If I want some basic security, what should I do?  Is there some kind of encryption card that can be used for the 2600?  What could I use if a user wanted to work from home and connect to the VPN?  Thanks.
You should probably make sure that your ISP is actually giving you the 2600s... If they are managed and owned by the ISP, there is a good possibility that they won't want you adding anything to the router (by way of cards or configs) that will make it more difficult to support.  Here's the answer to your question about the router's capabilities though..

The Cisco 2600 series routers are certainly capable of doing the VPN for you.  You need to make sure that the version of the IOS supports encryption (there is a licensing fee difference for the version that does and does not).  Since you are only connecting 2 sites I wouldn't be too concerned with having to purchase separate VPN accelerator cards - you should be able to connect the 2 sites easily with the horsepower of the default 2600..  

There is the concept of 'split-tunneling' that can be leveraged. This is where you allow Internet traffic as well as VPN traffic on the router ..

As far as security.. 3DES encryption for your VPN buys you a lot of security - the encryption algorithm itself is the most widely adopted encryption scheme for IPSEC VPNs today - it is the government standard (except for those places using the new AES scheme).  

Firewalling?  there is a software based pack for the router called CBAC (Content based access control) which is a rudimentary packet filtering firewall..  

Keep in mind that all of the software for the routers costs money and the time invested in figuring it all out and configuring it translates into money as well.

If you want to make it easy, the quickest way to deploy a VPN with an acceptable level of security is to set up the VPN using devices downstream (inside of) the Cisco routers.  Sonicwalls or Netscreens are excellent choices - you can probably get a pair of them for less than $2k.  What you get is an award winning firewall as well as an easy-to-set-up VPN using 3DES encryption to protect your data..

Hope that helps...  
BreezyAuthor Commented:
Thanks willro.  What extra protection does a firewall give me over just using the encryption on my router?
Does it just give me the ability to block ports and such?

Does the CBAC run on a 2600?

Are those free-wear firewalls any good?
Keep in mind that firewalling and encryption are separate functions.. You can have 3DES encryption for your VPN but you firewalling could be non-existent.  So, the encryption is going to protect the secured data IN TRANSIT.  When you send encrypted data to another site across a public infrastructure such as the Internet, you're protecting that data and making it 'virtually' private - hence the name Virtual Private Network, or VPN.   You can imagine encryption as being a secured envelope (or maybe even armored car) that is used to transport data.  Firewalls are going to protect your network at the perimeter, much like a watchguard would protect a building.  In that sense, a watchguard is only going to be as effective as you tell him - if you let him allow anyone in, then you're not very secure.  A firewall's security and effectiveness is dependent on several things including appropriate sizing for an environment (wouldn't want a small firewall for a large firewall's job) and correct configuration (making sure that you're blocking the unwanted traffic and allowing the wanted traffic).  

So, in short - if we're talking about protecting a house you can imagine the encryption as being the secure transport that you use to protect the messages that you send out (armored car for a letter?  maybe a secure envelope or box) and a firewall as being a dog that is protecting the house from intruders. Make a little more sense?  

Firewalls come in a variety of flavors to do different functions.  You may want to acquaint yourself with stateful inspection and proxying in addition to normal packet filtering.  In a nutshell, here's what they do..

Stateful inspection - where a firewall keeps a 'state' table, or keeps track of sessions across the firewall.  Generally, the function is to only allow traffic in that was first initiated from the inside.  That way there is no traffic that is not allowed since you never invited.  Again, this is in theory..

Proxy Firewalls - These are firewalls that actually do the Internet request on behalf of  the host on the inside.  I actually answered a question on describing proxy firewalls here  - http://www.experts-exchange.com/Networking/Q_20532082.html

Packet filters are just that.. they filter on the basis of destination, source, port.. pretty simple compared to the other firewall technologies.

The CBAC firewall in defined as performing stateful inspection in addition to the packet filtering.
Here's  detail on the CBAC ( also known as IOS firewall)

The CBACs firewall is available on the 2600 series Cisco routers. In fact, I believe CBAC is available for most all of the Cisco routers ( you just need to make sure you have enough RAM and Flash to support it).

There are freeware firewalls out there that can be very effective if configured correctly..  The thing is, there are a lot of vendors that have taken the time and effort to make the technology easy for you.  Why re-invent the wheel if you don't have to?  There are many low cost options that are available to you to solve your issue.  I would check out www.scmagazine.com and check out some of the SOHO firewall reviews.  There are a lot of options for small networks out there - the biggest plus is that these firewalls offer everything that you would need AND they're VERY EASY to configure with great product support.  The drawback of using freeware is that you're often going to in the dark if you need support ..  in my opinion, even a low cost firewall is a better investment in time and money if you lack the expertise in-house to set the firewall up using a freeware app like an IPChains kind of application.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now