Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is it possible to setup 2 seperate VPN's from site to site

Posted on 2007-04-11
17
Medium Priority
?
279 Views
Last Modified: 2010-04-09
what I want to do in order to do some low end voice prioritzation is setup 2 seperate VPN tunnels.   The theory is that one would be for voice and one for data.   becuase the firewalls don't understand how to prioritize voice this would allow me to atleast give bandwidth priority to the voice VPN..

Is this possible...    The firewalls are sonicwall

thanks
0
Comment
Question by:Zoldy2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 5
17 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18890994
Even if it is possible, what is the advantage you gain? Still firewalls don't understand QoS right? More over, you'll be loading the firewall where-in an additional horse-power is required to maintain the second tunnel.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 18891044
the value is if I have 2 seperate VPN tunnels I can always guarantee a certain amount of bandwidth to the VOIP tunnel.

the numbers are not necessarily accurate but show what I am try to accomplish.

Lets say I have established that no more than 4 concurrent calls will be made accross the VPN
Lets say each call take 50Kbps
Now lets say I can create a seperate VPN for this VOIP traffic and guarantee that VPN 200 Kbps

In theory no matter how much data traffic I will always have available bandwidth for VOIP

Is that not true?
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 18894189
it depends on the type of sonicwall you have.  how many site to site VPNs does your sonicwall support?

also, you will need 2 static IP addresses at each location.  traffic for voice will go to 1 IP and data traffic would go to the other IP.

you would then configure 2 site to site VPNs... one going to each static IP.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18894944
Yeah, but then again does the Sonicwall understand bandwidth reservation?

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 18897280
Thanks for the responses....    that is exactly what my question was can I setup 2 seperate VPN's on the sonicwall firewall...    yes it understands bandwidth reservation.    

thanks
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 18899327
YES YOU CAN ... as long as your sonicwall supports it.  sonicwalls have different features.  for example, not all sonicwall TZ170's support multiple site to site VPNs.

at my locations, we have this flavor of the tz170:
http://accessories.us.dell.com/sna/productdetail.aspx?c=us&l=en&s=dhs&cs=19&sku=A0411093

if you look at the Capacity, it supports 10 site to site VPN tunnels.  so, if you had this sonicwall, you could set up multiple VPN tunnels.

i currently have 7 VPN tunnels at each of my remote locations.  they all point to different locations.  in order for you to have 2 VPN tunnels going to the same location, you would need 2 static IPs.  you can not share a VPN tunnel on 1 static IP because the traffic wouldn't know which tunnel to use.
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 18899401
I understand and that answers my question... however I am not sure I am clear on why I need a second static IP.    

Can you elaborate on that?  I would have thought that I could create another internal interface in a different subnet and create the tunnel on this seperate submet using the same external interface..

hope that mad sense
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 18899432
maybe this will help clarify:
my remote locations have VPN tunnels that point to each other

site 1 ------------  site 2
site 1 ------------  site 3
site 2 ------------  site 3
etc...
each site has a static IP.
in your case, you'd be using the same type of setup... logically, it is 2 different sites because it is 2 different IP addresses.  physically, it would be the same site.
site 1 IP 1 ----------- site 2 IP 1
site 1 IP 2 ----------- site 2 IP 2

you would then need to define the rules for what traffic takes which tunnel.
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 18899487
ok, i see what you are getting at.
yes...
if tunnel 1 goes to subnet 192.168.0.x
and tunnel 2 goes to subnet 192.168.1.x

in the VPN subnet, you are able to define the endpoint subnet, so the incoming traffic would know its destination.
the outbound traffic on the VPN also is defined by subnet, so that should work too

can't give you a definite answer on it because i havent actually done it, but it sounds like that would work
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18900325
The reason why you need 2 static ip's are because you want to separate the traffic between these 2 vpn tunnels and do the bandwidth capping on the *vpn tunnels*

Because, the gateway or endpoint has to be different. In your case it is the same so by supplying 2 ip addresses, you're essentially telling Sonicwall that it is a different location.

But I still don't understand, if the sonicwall can do bandwidth allocation, can't you do that using the same vpn that you have now?

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 18900353
the existing VPN is currently for both data and voice so alocated bandwidth does not serve my purpose...   and as stated above I beleive using a seperate subnet should avoid needing a second static public ip...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18900374
If you use just a separate subnet, how would you sonicwall end the site-to-site vpn? It needs to talk to the remote end to setup and the talk doesn't happen through the private subnet, correct?

The processs of setting up the vpn happens this way when configured.

1. First the tunnel is established.
2. then the traffic is passed based on the subnet parameter you give.

so if you just have one set of ip addresses, the first step would just setup only one vpn tunnel, the reason being both gateways use the same ip address.

Cheers,
Rajesh
0
 
LVL 44

Expert Comment

by:zephyr_hex (Megan)
ID: 18901373
upon thinking about this more, i take back my statement about being able to have 2 tunnels without 2 static ip's

when you define a VPN tunnel in a sonicwall, you tie a subnet to a WAN ip.  you must have 2 WAN ip's...one for each tunnel.  if you also want to divide things with different subnets, you can do that, too... but you must have one WAN ip per tunnel.

let's say you send a VPN packet from sonicwall 1 to sonicwall 2.  sonicwall 1 will put a header on the packet with the external IP of sonicwall 2.  sonicwall 2 receives that packet because it is addressed to it's WAN ip.  it takes off the header that contains the WAN ip, and delivers the packet to the appropriate LAN ip.  a VPN packet is basically a packet with a LAN address inside a packet with a WAN address.

you can not have 2 VPN tunnels to the same WAN ip...it would only be 1 tunnel (the tunnel, in effect, is the header packet with the WAN ip).

if you do your division with 2 subnets instead of 2 VPNs... you will have 1 VPN tunnel.  your packets will still get delivered to the subnets... but they will travel through the same VPN tunnel.
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 18901790
It's very interesting topic and I will be awarding points for the information ... however I am not sure I completely agree...    Perhaps it is a limitation of the sonicwall but I have done similar things with the firewalls that I am used to...   Fortigate firewalls I am quite familiar with.

I understand what you are saying however it is only a virtual tunnel and therefore I can establish more than one to a single static IP (at least on the fortigate)    

although the Public IP's are the same the private IP's are different.   based on this the traffic is routed through the appropriate tunnel...

I will be doing some more testing and will award points after... thanks for the info...
0
 
LVL 44

Accepted Solution

by:
zephyr_hex (Megan) earned 375 total points
ID: 18902450
the sonicwall will do as you described
you described: "although the Public IP's are the same the private IP's are different.   based on this the traffic is routed through the appropriate tunnel..."
perhaps we are disagreeing on terminology...

the tunnel is the "wrapper" that is put on the packet with LAN addresses (not the LANIP part).
WANIP(LANIP)

i don't think you have 2 logical tunnels if the "wrapper" is the same...
WANIP1(subnet1LANIP)
WANIP1(subnet2LANIP)

the receiving-end-router strips off the "wrapper" (WANIP1) and delivers the packet to the appropriate LANIP/subnet...

your structure is not 2 VPNs... it is 1 VPN...
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 375 total points
ID: 18903457
Some firewalls allow you to do that, but there is a subtle difference in technology represented there. For example till now we were talking about route based vpns, now if you go for policy based vpns it is possible but that wouldn't serve your purpose with sonicwall I believe.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 18904797
perhaps this is the key...   I know I have done this with success on the fortigate firewalls
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question