VPN question

Posted on 2005-04-28
Medium Priority
Last Modified: 2010-04-10
Hello all

i intend to deploy multiple branch VPN and from what I have read so far a hardware based VPN is the best solution my questions are these:

1. Is there central security for these hard ware servers or do they just create and invisible LAN where everyone behind the VPN can automatically access the other VPN sites?

2. I am yet to see a configuration guide for the equipment I am interested in whihc are Cisco 1700 series router and Nethear VPN routers I would be grateful if someone could help me with this guide
Question by:cobuba

Accepted Solution

christsis earned 2000 total points
ID: 13887750
1: There's both options. 1st is hub and spoke, which is where you have a central site that everything routes through for the VPN, or you can do a full mesh where every site has a VPN tunnel available directly to every other site.

2: As far as hardware if you're going with the 1700 you'll want the VPN addon card. You may also be better off sticking with a PIX depending on the number of remote sites the 501 may work otherwise the 506 should be sufficient.

Here's a cisco white paper discussing the site to site VPN deployment options that will go in a lot more detail for you:

PIX full mesh config info:

PIX hub and spoke config info:

That should be more than enough info to keep you reading for a while :)


Expert Comment

ID: 13888633
Its funny you went to either Cisco, or Netgear.  Linksys is a division of Cisco, and has great product lines creating ipsec vpn tunnels.  i use the RV042 series at many sites.  they run for about 170 dollars, allow you to create 30 tunnels, and they also allow mobile users to connect to them just using the QuickVPN client software that it comes with.  super easy, and totally secure.

below is my notes for what i use to set them up....

Upgrade routers first, not after
Once in the router "Setup" page, click onto the VPN tab.

First, select the tunnel you want to configure (Tunnel 1 or Tunnel 2) from the "Select Tunnel Entry" drop down box.  The screen will change according to your selection.

Select the option to Enable in the "This Tunnel" field to enable the tunnel.

Enter a unique name into the "Tunnel Name" field to name the tunnel.
Local Secure Group:  the computers on the local network that can access the tunnel.
Choose subnet, and enter the local subnet of the address (ie
Remote Secure Group:     the computers on the remote network or on the other end of the tunnel that can access the tunnel.
Choose subnet with remote network address here (i.e.
Remote Security Gateway:     the WAN/Internet IP address of the remote or other BEFSX41.

Encription:                  DES
Authentication:      MD5
Key Management (IKE-Auto)
PFS                   on

goo luck on your decision.  I usually get flack for suggesting Linksys, but its all in the IPSec, and IP, and they all use the same standards, and, all my tunnels webbing across the us have been great.

Note though, if you plan to use the QuickVPN client, you need to upgrade the firmware to 1.3.6
LVL 17

Expert Comment

ID: 13889550
Well if you deploy VPNs using Sonicwall, for example, you can certainly set themup so that VPN traffic *still* has to pass the firewall Access Rules.

Sonicwalls would sit happily behind Cisco 17xx or most any DSL router (just make sure the DSL router isn't blocking the VPN traffic, esp by trying to do it itself).

Best layout depends on the nature of the offices and the traffic. Hub and spokes is common, but that assumes you have a "head office" and branch offices. But the system is flexible - examine where your traffic needs to go, who has the heavist bandwidth needs, etc...

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question