[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1112
  • Last Modified:

Linksys BEFSX41 - 4 Remote Locations & One Endpoint

Hey all,

This is still my first VPN excusrion and I have a few more questions before I purchase the hardware.

The Linksys BEFSX41 says that it only supports 2 VPN tunnels.  Does that mean that only 2 locations can be connected?  I’ve got 4 locations and they are all going to need to be connected.  I don’t know if 2 tunnels means 2 locations or if 2 tunnels means 2 pipelines that 20 locations can hop on each….for example.  This is what I have gathered…

Under the VPN settings in the BEFSX41,

Local Secure Group: are the computers that I want to have on the on the VPN Endpoint’s LAN to access the tunnel.  So if I want all the computers on the LAN to access the tunnel, I will want to select “IP Range” and enter:
New York: 192.168.0.1 ~ 254                                    WAN IP = 68.213.224.XX (static)

Remote Secure Group: is going to be my dialup and remote users that are not behind their office’s VPN router.  I should set this to “any” to allow addresses from any network that are using VPN Client software to access the tunnel.  

Remote Security Gateway: this is the option that I should set to "any" to enable my other office locations with VPN routers to connect:
Boston – 192.168.2.1
Dallas – 192.168.3.1
Chicago – 192.168.4.1

Questions:
1) So now I point all 3 remote locations to the end-point in NY’s static WAN IP and hit connect.  
2) Will they all 3 connect?  
3) Also, am I going to have to enable NetBIOS broadcast to see other Windows machines shared files?
4) If so is their anything else that I will need to set?  
5) Can I get away with only having the end-point use a static IP from the ISP or would it be in my better interest to get static IP's for them all?
6) Are all of the VPN settings I have described above correct?
0
inverted_2000
Asked:
inverted_2000
  • 5
  • 4
1 Solution
 
lrmooreCommented:
You're going to have problems setting the remote secure group to "any" because then your router will think that even connections to say Google will have to go through the tunnel. I'm sure this is not what you intended.
The BEFSX41 will only support 2 VPN tunnels. If you need 4, then get a different router rather than trying to put a square peg in a round hole. The harder you try, the more random the outcome. Try using the RV042 instead.
Yes, it will be easier on you if each site has a static IP address, else you can use something like dyndns.org to maintain dns resolution even if it changes. Odds are that it won't change very often.
Note: I highly discourage using 192.168.0.x as your "main" LAN subnet. Don't use 192.168.1.x, 192.168.2.x, 10.10.10.x, 10.0.0.x either. Why? Because if you ever intend to use a VPN client, and they try to connect through their home LAN which happens to be behind a consumer broadband router, these are the most common subnets used by consumers. It will save you a lot of headaches supporting end users if you start off at the beginning using something else for your main office LAN.
Yes, "local secure group" is just that, the local LAN IP addresses that you want to use the tunnel.
The "remote secure group" must be the specific subnet that is beyond the specified WAN IP (remote site's WAN IP)

0
 
inverted_2000Author Commented:
So the RV042 will allow 3 remote office's to access the LAN at the main office?

Someone told me that I would have to set it up like this ("A" being the main office #1):
A <-------- B - B <---------------- C - C <----------------------- D
Meaning that the remote locations would run through eachother in order to connect to the main office.  This sounded like a headache, and I know for a fact that the Cisco PIX 501's that I use at work do not chain through eachother like that to the corporate office....they each have a direct tunnel.

I'm still a bit unclear on this "tunnel" term.  Does each location that is remote have to have it's own tunnel to the main office or do they all tap into the same tunnel?

Thanks again,
Chris
0
 
inverted_2000Author Commented:
Also....which of the first 3 settings is the one that I must configure to allow users like you said with Cisco Client VPN software to access the LAN?  I thought it was the Remote Secure Group, but I guess that was wrong.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
lrmooreCommented:
No reason to chain them together. No reason at all you can't do three independent tunnels from A (yes, each remote has its own tunnel)
  A <---->B - remote secure group 192.168.2.0, gateway 12.34.56.7
  A <---->C - remote secure group 192.168.3.0, gateway 34.56.78.9
  A <---->D - remote secure group 192.168.4.0, gateway 65.22.88.99
  A <---->E - remote secure group 192.168.X.0, gateway 63.44.55.66

Now, if Dallas needs to talk to Boston, and Chicago needs to talk to Dallas, then you can create a partial or full mesh, where you have multiple VPN's at each site, one to each remote:
  A <---->B
  A <---->C
  A <---->D

  B <---->A
  B <---->C
  B <---->D

  C <---->B
  C <---->A
  C <---->D

The RV042 allows up to 30 remote office tunnels or remote users, or combination.

http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=639

If you need more than 4 LAN ports, it also comes in 8 and 16-port models.
The dual-Wan feature is nice to have if you ever need to add a 2nd line to your main office.

0
 
lrmooreCommented:
I'm not sure what you mean by users with Cisco VPN client.
Are these clients on the Inside LAN and connecting to a 3rd party VPN endpoint somewhere else? Yes - enable IPSEC "Passthrough" feature on the router
You cannot use the Cisco VPN client on a roving user laptop to connect back to your Linksys VPN router.
0
 
inverted_2000Author Commented:
Great....you're understanding what I am trying to learn.......so:

1) I can throw the file server at the main office in New York with a RV042 and then use a cheaper BEFSX41 at each of the 3 remote office's to access the main office?

2) Each location will have a static WAN IP address

3) If I wanted a partial or full mesh, I would need the RV042 at each location because a tunnel would have to be created for each direction....ie)
    A <---->B
    A <---->C
    A <---->D
    counts as 3 seperate tunnels.

* When I ask of the Cisco VPN Client software, I mean for example, I am a passenger in a car and I connect to the main office's LAN via my Verizon Wireless connection.  Once connected to Verizon or a WiFi hotspot, I can point the Cisco VPN Client to say 64.213.117.XX and it will create a secure connection to the main office's LAN.  

So I might be on a 3rd party LAN and receiving an IP via DCHP, or I might be on dialup and receiving a global IP from the ISP.....what cha think???
0
 
lrmooreCommented:
1) Yes, exactly
2) Yes, ideally, but not required
3) Yes

Like I said, you cannot use the Cisco VPN client software to connect back to the Linksys VPN router. However, Linksys has their own "QuickVPN" client that you can use to connect up with the RV0x2 VPN routers.
I use it to connect to my home LAN from work, from the airport, from a hotel, etc.
I use my Cisco VPN client to connect to my office from home, from the airport, from a hotel, etc. (PIX FW endpoint), or to other client sites..

0
 
inverted_2000Author Commented:
You are awesome.....thank you so very very very much!!!
0
 
lrmooreCommented:
Glad to help!
 - Cheers!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now