Solved

Is it possible to setup 2 seperate VPN's from site to site

Posted on 2007-04-11
17
272 Views
Last Modified: 2010-04-09
what I want to do in order to do some low end voice prioritzation is setup 2 seperate VPN tunnels.   The theory is that one would be for voice and one for data.   becuase the firewalls don't understand how to prioritize voice this would allow me to atleast give bandwidth priority to the voice VPN..

Is this possible...    The firewalls are sonicwall

thanks
0
Comment
Question by:Zoldy2000
  • 6
  • 6
  • 5
17 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Even if it is possible, what is the advantage you gain? Still firewalls don't understand QoS right? More over, you'll be loading the firewall where-in an additional horse-power is required to maintain the second tunnel.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
Comment Utility
the value is if I have 2 seperate VPN tunnels I can always guarantee a certain amount of bandwidth to the VOIP tunnel.

the numbers are not necessarily accurate but show what I am try to accomplish.

Lets say I have established that no more than 4 concurrent calls will be made accross the VPN
Lets say each call take 50Kbps
Now lets say I can create a seperate VPN for this VOIP traffic and guarantee that VPN 200 Kbps

In theory no matter how much data traffic I will always have available bandwidth for VOIP

Is that not true?
0
 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
it depends on the type of sonicwall you have.  how many site to site VPNs does your sonicwall support?

also, you will need 2 static IP addresses at each location.  traffic for voice will go to 1 IP and data traffic would go to the other IP.

you would then configure 2 site to site VPNs... one going to each static IP.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Yeah, but then again does the Sonicwall understand bandwidth reservation?

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
Comment Utility
Thanks for the responses....    that is exactly what my question was can I setup 2 seperate VPN's on the sonicwall firewall...    yes it understands bandwidth reservation.    

thanks
0
 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
YES YOU CAN ... as long as your sonicwall supports it.  sonicwalls have different features.  for example, not all sonicwall TZ170's support multiple site to site VPNs.

at my locations, we have this flavor of the tz170:
http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=dhs&cs=19&sku=A0411093

if you look at the Capacity, it supports 10 site to site VPN tunnels.  so, if you had this sonicwall, you could set up multiple VPN tunnels.

i currently have 7 VPN tunnels at each of my remote locations.  they all point to different locations.  in order for you to have 2 VPN tunnels going to the same location, you would need 2 static IPs.  you can not share a VPN tunnel on 1 static IP because the traffic wouldn't know which tunnel to use.
0
 
LVL 2

Author Comment

by:Zoldy2000
Comment Utility
I understand and that answers my question... however I am not sure I am clear on why I need a second static IP.    

Can you elaborate on that?  I would have thought that I could create another internal interface in a different subnet and create the tunnel on this seperate submet using the same external interface..

hope that mad sense
0
 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
maybe this will help clarify:
my remote locations have VPN tunnels that point to each other

site 1 ------------  site 2
site 1 ------------  site 3
site 2 ------------  site 3
etc...
each site has a static IP.
in your case, you'd be using the same type of setup... logically, it is 2 different sites because it is 2 different IP addresses.  physically, it would be the same site.
site 1 IP 1 ----------- site 2 IP 1
site 1 IP 2 ----------- site 2 IP 2

you would then need to define the rules for what traffic takes which tunnel.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
ok, i see what you are getting at.
yes...
if tunnel 1 goes to subnet 192.168.0.x
and tunnel 2 goes to subnet 192.168.1.x

in the VPN subnet, you are able to define the endpoint subnet, so the incoming traffic would know its destination.
the outbound traffic on the VPN also is defined by subnet, so that should work too

can't give you a definite answer on it because i havent actually done it, but it sounds like that would work
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
The reason why you need 2 static ip's are because you want to separate the traffic between these 2 vpn tunnels and do the bandwidth capping on the *vpn tunnels*

Because, the gateway or endpoint has to be different. In your case it is the same so by supplying 2 ip addresses, you're essentially telling Sonicwall that it is a different location.

But I still don't understand, if the sonicwall can do bandwidth allocation, can't you do that using the same vpn that you have now?

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
Comment Utility
the existing VPN is currently for both data and voice so alocated bandwidth does not serve my purpose...   and as stated above I beleive using a seperate subnet should avoid needing a second static public ip...
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
If you use just a separate subnet, how would you sonicwall end the site-to-site vpn? It needs to talk to the remote end to setup and the talk doesn't happen through the private subnet, correct?

The processs of setting up the vpn happens this way when configured.

1. First the tunnel is established.
2. then the traffic is passed based on the subnet parameter you give.

so if you just have one set of ip addresses, the first step would just setup only one vpn tunnel, the reason being both gateways use the same ip address.

Cheers,
Rajesh
0
 
LVL 42

Expert Comment

by:zephyr_hex
Comment Utility
upon thinking about this more, i take back my statement about being able to have 2 tunnels without 2 static ip's

when you define a VPN tunnel in a sonicwall, you tie a subnet to a WAN ip.  you must have 2 WAN ip's...one for each tunnel.  if you also want to divide things with different subnets, you can do that, too... but you must have one WAN ip per tunnel.

let's say you send a VPN packet from sonicwall 1 to sonicwall 2.  sonicwall 1 will put a header on the packet with the external IP of sonicwall 2.  sonicwall 2 receives that packet because it is addressed to it's WAN ip.  it takes off the header that contains the WAN ip, and delivers the packet to the appropriate LAN ip.  a VPN packet is basically a packet with a LAN address inside a packet with a WAN address.

you can not have 2 VPN tunnels to the same WAN ip...it would only be 1 tunnel (the tunnel, in effect, is the header packet with the WAN ip).

if you do your division with 2 subnets instead of 2 VPNs... you will have 1 VPN tunnel.  your packets will still get delivered to the subnets... but they will travel through the same VPN tunnel.
0
 
LVL 2

Author Comment

by:Zoldy2000
Comment Utility
It's very interesting topic and I will be awarding points for the information ... however I am not sure I completely agree...    Perhaps it is a limitation of the sonicwall but I have done similar things with the firewalls that I am used to...   Fortigate firewalls I am quite familiar with.

I understand what you are saying however it is only a virtual tunnel and therefore I can establish more than one to a single static IP (at least on the fortigate)    

although the Public IP's are the same the private IP's are different.   based on this the traffic is routed through the appropriate tunnel...

I will be doing some more testing and will award points after... thanks for the info...
0
 
LVL 42

Accepted Solution

by:
zephyr_hex earned 125 total points
Comment Utility
the sonicwall will do as you described
you described: "although the Public IP's are the same the private IP's are different.   based on this the traffic is routed through the appropriate tunnel..."
perhaps we are disagreeing on terminology...

the tunnel is the "wrapper" that is put on the packet with LAN addresses (not the LANIP part).
WANIP(LANIP)

i don't think you have 2 logical tunnels if the "wrapper" is the same...
WANIP1(subnet1LANIP)
WANIP1(subnet2LANIP)

the receiving-end-router strips off the "wrapper" (WANIP1) and delivers the packet to the appropriate LANIP/subnet...

your structure is not 2 VPNs... it is 1 VPN...
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 125 total points
Comment Utility
Some firewalls allow you to do that, but there is a subtle difference in technology represented there. For example till now we were talking about route based vpns, now if you go for policy based vpns it is possible but that wouldn't serve your purpose with sonicwall I believe.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
Comment Utility
perhaps this is the key...   I know I have done this with success on the fortigate firewalls
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now