• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 667
  • Last Modified:

VPN/Redundancy Problem

Hello all,

Need your imput on something. On a friends network he has 2 dedicated t1s going to 2 separate routers which connect (currently) to Cisco 3500 Swith then, to a 16 port Linksys VPN Router, (theres also 2 other switches). However, after having someone else install it, the VPN router is just assigning DHCP addresses which the other routers could do and actually keeping him from using multiple VPN's (which shouldn't happen with a VPN router, right?). Finally, the non-vpn users seem to be able to get to the internet fine, but when that connection is unplugged, it doesn't switch over to the other router to find a way to the web. I personally think that the Linksys is the wrong device for the job, and also for just 60-100 PC's he has too much equipment. What do you think? If you need more clarification let me know.
0
glpolite
Asked:
glpolite
  • 2
  • 2
1 Solution
 
lrmooreCommented:
Depends on the Linksys. If it's an RV016, then it <should> be doing the job of a firewall with built-in capability to auto failover if one link is down. Conceptually, it sounds solid.

Yes, with this router you should be able to use multiple VPN's --UNLESS-- they all go to the same endpoint. This product supports multiple VPN tunnels at one time, but each one must go to a different remote site.

A firewall is certainly a necessity. I would suggest a Cisco PIX 515e. It supports multiple VPN tunnels even if they go to the same endpoint, and if you setup the routers with HSRP (assuming they are Cisco), you get instant failover. Enable OSPF between the two routers and the PIX, and you can have load-sharing as well as failover.
0
 
sciwriterCommented:
Woa, that is pretty confusing.  First, there is nothing wrong with a VPN router doing DHCP, as long as it is the ONLY router on the network doing that.  If another, stop it, and give it a fixed IP.

Second, if the VPN router is not the FIRST thing coming in from the T1 line, how is it going to properly authenticate the VPN clients "dialing" in?  It has to be "in front" of the switch, no?

<<multiple VPN's (which shouldn't happen with a VPN router, right?).>>

Totally depends on the model. Some Linksys VPN endpoint routers can only handle 1 connection, others like the BEFSVP41 can handle two, more recent ones can handle 4-8.  Likewise for the next question --

60-100 PCs are WAY too much for a lot of Linksys routers.  Some of the later ones, identical to Cisco (both made by cisco now) can handle this, but yes in the range of 100 PCs, you are pushing most low end routers.
0
 
glpoliteAuthor Commented:
IrMoore, Are you suggesting to add the Pix or replace the Linksys with the Pix? The Linksys has a SPI firewall built-in already. This guy i believe has waaay too much equipment for his needs. 60 pcs, 2 T1's, 3 routers, 3 switches and a big wallet. I think that simplifying this setup is in order.

On the VPN side, could there be something prohibiting the users from dialing in to their network? There are multiple offices here and each VPN user could be connecting (possibly) to different Network Resources. Theoretically, everything should be working so I think that there could be a config issue.

Boy, don't ya just love cleaning up someone elses mess.
0
 
lrmooreCommented:
Yes, I'm suggesting replacing the Linksys with a PIX. Depending on the routers that terminate the T1's, I might consolidate them into a single router. You simply cannot get away without a router terminating the T1's, and I don't like putting the firewall/router into one box.  It will probably fix the VPN user issues also.

0
 
glpoliteAuthor Commented:
I thank you very much for your insight, if I have any additional questions concerning this you'll hear from me again.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now