VPN/Redundancy Problem

Posted on 2005-04-11
Last Modified: 2013-11-16
Hello all,

Need your imput on something. On a friends network he has 2 dedicated t1s going to 2 separate routers which connect (currently) to Cisco 3500 Swith then, to a 16 port Linksys VPN Router, (theres also 2 other switches). However, after having someone else install it, the VPN router is just assigning DHCP addresses which the other routers could do and actually keeping him from using multiple VPN's (which shouldn't happen with a VPN router, right?). Finally, the non-vpn users seem to be able to get to the internet fine, but when that connection is unplugged, it doesn't switch over to the other router to find a way to the web. I personally think that the Linksys is the wrong device for the job, and also for just 60-100 PC's he has too much equipment. What do you think? If you need more clarification let me know.
Question by:glpolite
    LVL 79

    Expert Comment

    Depends on the Linksys. If it's an RV016, then it <should> be doing the job of a firewall with built-in capability to auto failover if one link is down. Conceptually, it sounds solid.

    Yes, with this router you should be able to use multiple VPN's --UNLESS-- they all go to the same endpoint. This product supports multiple VPN tunnels at one time, but each one must go to a different remote site.

    A firewall is certainly a necessity. I would suggest a Cisco PIX 515e. It supports multiple VPN tunnels even if they go to the same endpoint, and if you setup the routers with HSRP (assuming they are Cisco), you get instant failover. Enable OSPF between the two routers and the PIX, and you can have load-sharing as well as failover.
    LVL 23

    Expert Comment

    Woa, that is pretty confusing.  First, there is nothing wrong with a VPN router doing DHCP, as long as it is the ONLY router on the network doing that.  If another, stop it, and give it a fixed IP.

    Second, if the VPN router is not the FIRST thing coming in from the T1 line, how is it going to properly authenticate the VPN clients "dialing" in?  It has to be "in front" of the switch, no?

    <<multiple VPN's (which shouldn't happen with a VPN router, right?).>>

    Totally depends on the model. Some Linksys VPN endpoint routers can only handle 1 connection, others like the BEFSVP41 can handle two, more recent ones can handle 4-8.  Likewise for the next question --

    60-100 PCs are WAY too much for a lot of Linksys routers.  Some of the later ones, identical to Cisco (both made by cisco now) can handle this, but yes in the range of 100 PCs, you are pushing most low end routers.

    Author Comment

    IrMoore, Are you suggesting to add the Pix or replace the Linksys with the Pix? The Linksys has a SPI firewall built-in already. This guy i believe has waaay too much equipment for his needs. 60 pcs, 2 T1's, 3 routers, 3 switches and a big wallet. I think that simplifying this setup is in order.

    On the VPN side, could there be something prohibiting the users from dialing in to their network? There are multiple offices here and each VPN user could be connecting (possibly) to different Network Resources. Theoretically, everything should be working so I think that there could be a config issue.

    Boy, don't ya just love cleaning up someone elses mess.
    LVL 79

    Accepted Solution

    Yes, I'm suggesting replacing the Linksys with a PIX. Depending on the routers that terminate the T1's, I might consolidate them into a single router. You simply cannot get away without a router terminating the T1's, and I don't like putting the firewall/router into one box.  It will probably fix the VPN user issues also.


    Author Comment

    I thank you very much for your insight, if I have any additional questions concerning this you'll hear from me again.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now