Question's on VPN's

Posted on 2003-02-20
Medium Priority
Last Modified: 2010-03-19
Instead of getting a dedicated T1 line between 2 branch offices, I was thinking of getting cheaper internet T-1 lines in each office and setting up a VPN between them. Since I've never dealt with VPN my questions are:

1. What equipment do I need?  Can it be setup just using cisco routers? Is it cheaper to use any other type of equipment?

2. Can the T-1 at each site be used for regular internet connectivity as well as the VPN at the same time?

3. Are VPN's pretty complicated to setup for a begginer/intermediate Cisco tech person?  

4. How do you make sure that the VPN is secure?

Question by:Breezy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +3

Expert Comment

ID: 7990019

1. I used two SonicWall soho3 routers to connect an edmonton and calgary office with VPN, works well.  The soho3's or similar might be cheaper then cisco routers.  http://www.sonicwall.com

2. Yes, normally the router you use for VPN also have either IP forwarding, Network Address translation, and DHCP server, all of which you can setup internet access with.

3. Not as complicated as I thought.  As long as you have the routers configured to use the same protocols, and the same secret number, it should be a snap to set up.

4. When you set up your VPN, you have the options of using encryption with it.  Using a low level group 2 encryption should suffice for anyone's needs, but remember encryption adds to the overhead processing of the router and may slow down network traffic.  As well, make sure your router's access tables are open for VPN traffic (specified by the one source IP), but is closed off for everything else.

Hope this helps!

Expert Comment

ID: 7990418
Any Cisco router running IOS can be a VPN host. On the client side you could use the Cisco VPN 3002 hardware client, it costs about $900.
If you ahve a router with IOS that also could be your client hardware.
What is your routers model?

Expert Comment

ID: 7990568
If security is an issue, I would suggest cisco.
You can have a T1 line to the main office to a 1701 router. get your internet on one interface and setup a tunnel to your branch office on the other interface using a dlci number on the the interface. Using an 805 router at the remote location. remember, the T1 line has 24 channels, each 64k. You pay so much for each channel.
You can control internet access from the home office and supply it to the remote location.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Expert Comment

ID: 7990633
If you're after a pretty easy budget option (but still secure) this is how we did it:

We used Smoothwall (http://smoothwall.org/) which was a free Linux distro that took about 30 minutes to install and turned a couple of old Pentium 2s into NATing Firewalls. As well as offering VPN through a simple web interface it offers Squid web caching, Snort Intrusion Detection, DNS caching, DHCP server, etc.

1: We used two old PIIs, 128MB of RAM handles our 1Mb ADSL without breaking a sweat.

2: Yep, and fast and safe too thanks to the firewall and caching.

3: Not really, a simple web interface gives you a few simple options. Set IP ranges, shared secret etc and you're done. Help is available too.

4: That's a little tricky to answer, but if the connection is working then it's encrypted. Smoothwall uses the trusted FreeSwan implementation.

Hope that helps.

Expert Comment

ID: 7990694
correction on that 1701 router. Should be 1721.
Have 5 remote sites piped into the 1721 on one interface(subinterfaces).

Author Comment

ID: 8019172
The ISP we are using, supplies cisco routers.  Not sure which type yet.  One has to be set up as a host and another as a client? Will I need to setup a firewall too?

Author Comment

ID: 8034818
Ok, some more info.  The ISP supplies and sets up using basic Cisco 2600 routers.  But they offer no other form of security.  If I want some basic security, what should I do?  Is there some kind of encryption card that can be used for the 2600?  What could I use if a user wanted to work from home and connect to the VPN?  Thanks.

Accepted Solution

willro earned 400 total points
ID: 8038875
You should probably make sure that your ISP is actually giving you the 2600s... If they are managed and owned by the ISP, there is a good possibility that they won't want you adding anything to the router (by way of cards or configs) that will make it more difficult to support.  Here's the answer to your question about the router's capabilities though..

The Cisco 2600 series routers are certainly capable of doing the VPN for you.  You need to make sure that the version of the IOS supports encryption (there is a licensing fee difference for the version that does and does not).  Since you are only connecting 2 sites I wouldn't be too concerned with having to purchase separate VPN accelerator cards - you should be able to connect the 2 sites easily with the horsepower of the default 2600..  

There is the concept of 'split-tunneling' that can be leveraged. This is where you allow Internet traffic as well as VPN traffic on the router ..

As far as security.. 3DES encryption for your VPN buys you a lot of security - the encryption algorithm itself is the most widely adopted encryption scheme for IPSEC VPNs today - it is the government standard (except for those places using the new AES scheme).  

Firewalling?  there is a software based pack for the router called CBAC (Content based access control) which is a rudimentary packet filtering firewall..  

Keep in mind that all of the software for the routers costs money and the time invested in figuring it all out and configuring it translates into money as well.

If you want to make it easy, the quickest way to deploy a VPN with an acceptable level of security is to set up the VPN using devices downstream (inside of) the Cisco routers.  Sonicwalls or Netscreens are excellent choices - you can probably get a pair of them for less than $2k.  What you get is an award winning firewall as well as an easy-to-set-up VPN using 3DES encryption to protect your data..

Hope that helps...  

Author Comment

ID: 8042427
Thanks willro.  What extra protection does a firewall give me over just using the encryption on my router?
Does it just give me the ability to block ports and such?

Does the CBAC run on a 2600?

Are those free-wear firewalls any good?

Expert Comment

ID: 8046045
Keep in mind that firewalling and encryption are separate functions.. You can have 3DES encryption for your VPN but you firewalling could be non-existent.  So, the encryption is going to protect the secured data IN TRANSIT.  When you send encrypted data to another site across a public infrastructure such as the Internet, you're protecting that data and making it 'virtually' private - hence the name Virtual Private Network, or VPN.   You can imagine encryption as being a secured envelope (or maybe even armored car) that is used to transport data.  Firewalls are going to protect your network at the perimeter, much like a watchguard would protect a building.  In that sense, a watchguard is only going to be as effective as you tell him - if you let him allow anyone in, then you're not very secure.  A firewall's security and effectiveness is dependent on several things including appropriate sizing for an environment (wouldn't want a small firewall for a large firewall's job) and correct configuration (making sure that you're blocking the unwanted traffic and allowing the wanted traffic).  

So, in short - if we're talking about protecting a house you can imagine the encryption as being the secure transport that you use to protect the messages that you send out (armored car for a letter?  maybe a secure envelope or box) and a firewall as being a dog that is protecting the house from intruders. Make a little more sense?  

Firewalls come in a variety of flavors to do different functions.  You may want to acquaint yourself with stateful inspection and proxying in addition to normal packet filtering.  In a nutshell, here's what they do..

Stateful inspection - where a firewall keeps a 'state' table, or keeps track of sessions across the firewall.  Generally, the function is to only allow traffic in that was first initiated from the inside.  That way there is no traffic that is not allowed since you never invited.  Again, this is in theory..

Proxy Firewalls - These are firewalls that actually do the Internet request on behalf of  the host on the inside.  I actually answered a question on describing proxy firewalls here  - http://www.experts-exchange.com/Networking/Q_20532082.html

Packet filters are just that.. they filter on the basis of destination, source, port.. pretty simple compared to the other firewall technologies.

The CBAC firewall in defined as performing stateful inspection in addition to the packet filtering.
Here's  detail on the CBAC ( also known as IOS firewall)

The CBACs firewall is available on the 2600 series Cisco routers. In fact, I believe CBAC is available for most all of the Cisco routers ( you just need to make sure you have enough RAM and Flash to support it).

There are freeware firewalls out there that can be very effective if configured correctly..  The thing is, there are a lot of vendors that have taken the time and effort to make the technology easy for you.  Why re-invent the wheel if you don't have to?  There are many low cost options that are available to you to solve your issue.  I would check out www.scmagazine.com and check out some of the SOHO firewall reviews.  There are a lot of options for small networks out there - the biggest plus is that these firewalls offer everything that you would need AND they're VERY EASY to configure with great product support.  The drawback of using freeware is that you're often going to in the dark if you need support ..  in my opinion, even a low cost firewall is a better investment in time and money if you lack the expertise in-house to set the firewall up using a freeware app like an IPChains kind of application.

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question