glpolite
asked on
VPN/Redundancy Problem
Hello all,
Need your imput on something. On a friends network he has 2 dedicated t1s going to 2 separate routers which connect (currently) to Cisco 3500 Swith then, to a 16 port Linksys VPN Router, (theres also 2 other switches). However, after having someone else install it, the VPN router is just assigning DHCP addresses which the other routers could do and actually keeping him from using multiple VPN's (which shouldn't happen with a VPN router, right?). Finally, the non-vpn users seem to be able to get to the internet fine, but when that connection is unplugged, it doesn't switch over to the other router to find a way to the web. I personally think that the Linksys is the wrong device for the job, and also for just 60-100 PC's he has too much equipment. What do you think? If you need more clarification let me know.
Need your imput on something. On a friends network he has 2 dedicated t1s going to 2 separate routers which connect (currently) to Cisco 3500 Swith then, to a 16 port Linksys VPN Router, (theres also 2 other switches). However, after having someone else install it, the VPN router is just assigning DHCP addresses which the other routers could do and actually keeping him from using multiple VPN's (which shouldn't happen with a VPN router, right?). Finally, the non-vpn users seem to be able to get to the internet fine, but when that connection is unplugged, it doesn't switch over to the other router to find a way to the web. I personally think that the Linksys is the wrong device for the job, and also for just 60-100 PC's he has too much equipment. What do you think? If you need more clarification let me know.
Woa, that is pretty confusing. First, there is nothing wrong with a VPN router doing DHCP, as long as it is the ONLY router on the network doing that. If another, stop it, and give it a fixed IP.
Second, if the VPN router is not the FIRST thing coming in from the T1 line, how is it going to properly authenticate the VPN clients "dialing" in? It has to be "in front" of the switch, no?
<<multiple VPN's (which shouldn't happen with a VPN router, right?).>>
Totally depends on the model. Some Linksys VPN endpoint routers can only handle 1 connection, others like the BEFSVP41 can handle two, more recent ones can handle 4-8. Likewise for the next question --
60-100 PCs are WAY too much for a lot of Linksys routers. Some of the later ones, identical to Cisco (both made by cisco now) can handle this, but yes in the range of 100 PCs, you are pushing most low end routers.
Second, if the VPN router is not the FIRST thing coming in from the T1 line, how is it going to properly authenticate the VPN clients "dialing" in? It has to be "in front" of the switch, no?
<<multiple VPN's (which shouldn't happen with a VPN router, right?).>>
Totally depends on the model. Some Linksys VPN endpoint routers can only handle 1 connection, others like the BEFSVP41 can handle two, more recent ones can handle 4-8. Likewise for the next question --
60-100 PCs are WAY too much for a lot of Linksys routers. Some of the later ones, identical to Cisco (both made by cisco now) can handle this, but yes in the range of 100 PCs, you are pushing most low end routers.
ASKER
IrMoore, Are you suggesting to add the Pix or replace the Linksys with the Pix? The Linksys has a SPI firewall built-in already. This guy i believe has waaay too much equipment for his needs. 60 pcs, 2 T1's, 3 routers, 3 switches and a big wallet. I think that simplifying this setup is in order.
On the VPN side, could there be something prohibiting the users from dialing in to their network? There are multiple offices here and each VPN user could be connecting (possibly) to different Network Resources. Theoretically, everything should be working so I think that there could be a config issue.
Boy, don't ya just love cleaning up someone elses mess.
On the VPN side, could there be something prohibiting the users from dialing in to their network? There are multiple offices here and each VPN user could be connecting (possibly) to different Network Resources. Theoretically, everything should be working so I think that there could be a config issue.
Boy, don't ya just love cleaning up someone elses mess.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I thank you very much for your insight, if I have any additional questions concerning this you'll hear from me again.
Yes, with this router you should be able to use multiple VPN's --UNLESS-- they all go to the same endpoint. This product supports multiple VPN tunnels at one time, but each one must go to a different remote site.
A firewall is certainly a necessity. I would suggest a Cisco PIX 515e. It supports multiple VPN tunnels even if they go to the same endpoint, and if you setup the routers with HSRP (assuming they are Cisco), you get instant failover. Enable OSPF between the two routers and the PIX, and you can have load-sharing as well as failover.