• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 340
  • Last Modified:

ipsec tunnel between two small offices, best lowcost equipment

I am setting up a connection between two small offices and think that an IPSEC tunnel is the best option to allow uses to share desktops and files.
Can someone recommend a IPSEC routers that a small business w/6 users (3 at each location) could afford ?

-> Reliable and easy to troubleshoot and configure ?
-> Does the equipment need to be connected directly to the internet ?
     (some small incubator offices provide internet service, and a direct connection may not be an option)

Thank you.
0
sidwelle
Asked:
sidwelle
  • 25
  • 23
  • 5
  • +1
4 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
I use a Cisco RV320/325 router to do this and have site to site IPsec tunnels to several of my clients. Works fine.
0
 
sidwelleAuthor Commented:
How much maintenance is required ?
Expensive ?   I see prices on Amazon from $200 - $300  (Correct ?)
What type of connection do I need form our ISP ?  Coax ?  Ethernet ?

Thanks
0
 
John HurstBusiness Consultant (Owner)Commented:
I think I paid about $300 CDN for the router from my supplier.

It permits 50 Tunnels. There is no maintenance but only hardware support. You need to build your own tunnels.

Connection is Ethernet so you put it in front of your cable or DSL modem.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
QlemoC++ DeveloperCommented:
IPsec tunnels are much easier to maintain and more reliable if they are NOT behind an internet gateway performing NAT for private IPs, so it is better to have the same device performing internet services and IPsec.
If you use same or similar devices on all ends, maintenance is usually low, and you have a broad range of devices you can choose from. In general the cheaper, the less flexibility - e.g. many low-budget devices require to be the internet gateway, because you cannot switch the WAN port to be bridged (LAN) instead.

We cannot recommend something reasonable and cheap, as only you can know (but might not in its whole) what is required, and would work for you. However, the recommended Cisco RVs are a good start - being from the Linksys branch, they are layed out to be easy to configure, but not really that flexible. (Opposed to the real Cisco devices, which are complex but flexible).
0
 
John HurstBusiness Consultant (Owner)Commented:
That is a good point. I bridge my modem so that the VPN router is directly seeing the external IP address. NAT is done within the router, not the modem. Even though I have 2 boxes, the bridging keeps it simple and reliable.
0
 
bbaoIT ConsultantCommented:
i would recommend:

TP-Link TD-W8950N 150Mbps ADSL 2/2+ Modem Router Broadband

it is just $40 on eBay. for this price, it even includes a free SanDisk Ultra 16GB MicroSD card.  

http://www.ebay.com.au/itm/281608075731

its IPSec VPN feature looks like a secret of the product, i didn't realise its cool features before buying it online from eBay. the spec of its official product page also never mentioned it, until i found its IPSec option in its advanced settings. FYI i bought it to replace my broken ASDL modem, never expected anything more than that, but it came with IPSec VPN, IP Tunnel (6in4 and 4in6), QoS, Bandwidth Control, Interface Grouping and even IPTV and Guest Wireless!

Screen-Shot-2016-09-12-at-09.39.11.png

Official Product Page:
http://www.tp-link.com/no/products/details/cat-15_TD-W8950N.html

per its user manual, see below, it "supports up to 10 VPN tunnels simultaneously", which is amazing for such a cheap router. per my experience, its VPN speed and stability is not bad.

Screen-Shot-2016-09-12-at-09.26.28.png
as the router doesn't support SSL for remote management via web, its IPSec feature fills the gap allowing me to remotely manage it across the internet.

the router supports ADSL2+ (modem included) and Ethernet for WAN, provides 3+1 LAN ports (+1 if using ADSL2+) and 150 Mbps 802.11b/g/n wireless.

something bad? yes, its web console looks a bit ugly, and its web UI restarts the router for most setting changes (really not necessary).
0
 
sidwelleAuthor Commented:
Can you recommend a device (Cisco or other) that allows IPSEC tunnels and a software VPN version that allows staff not in one of the offices to install a software VPN client and access the network while on the road ?
0
 
John HurstBusiness Consultant (Owner)Commented:
I use the Cisco RV device mentioned, and I use NCP Secure Entry (www.ncp-e.com) to log into it and other client machines.  All works great.
0
 
sidwelleAuthor Commented:
So you pay like $150 /install ?  How is this managed ?  Is this better than the client that Cisco offers ?
Could this in anyway void the Cisco warranty ?  

Thanks
0
 
John HurstBusiness Consultant (Owner)Commented:
Cisco client software is not very robust. I use NCP because it is very nearly bomb proof. My clients all use it because it never fails them and that is very important.
0
 
sidwelleAuthor Commented:
I guess I am kind of new at internet networking.  I create a lot of apps that network, but I rely on our network team at work to provide the internet connection.

What type of connection can I expect a standard ISP to provide ?  and will this Cisco RV320/325 have that connection or do I have to have another Modem/device between the RV32x and the ISP ?
At our home-office we have coax connection and we purchased our own DOCSIS 3 modem and just provided the ISP w/MAC address.

Thanks
0
 
John HurstBusiness Consultant (Owner)Commented:
You need to connect the Cisco RV320/325 to the Modem supplied by the ISP. Put the modem in Bridge mode.
0
 
sidwelleAuthor Commented:
Do I need to specify static IPs from my IPSs at each end ?
0
 
QlemoC++ DeveloperCommented:
At least one end should have a static IP in the "classic view". Some devices allow for dynamic IPs on both sides, e.g. by supplying a (Dyn)DNS name instead.
0
 
John HurstBusiness Consultant (Owner)Commented:
Do I need to specify static IPs from my IPSs at each end ?  

As Qlemo notes, at least one end needs to be static.

Where I am, my dynamic IP does not change for years on end, so I just treat it as static.
0
 
sidwelleAuthor Commented:
Thinking about it, I would ask for static IPs at both ends.  This way if one of the IPSs or routers fail on one end, users can always dial into the other system.  or systems on both ends can be reached w/o have to transvers a 2nd VPN. (Latency ?)

From looking at the Soho Routers on Ciscos' site, the "Cisco RV130W Wireless-N Multifunction VPN Router" looks like a better option.  Probably because it supports wireless.   or
"Cisco RV215W"  Not really sure that the numbers indicate.

Looks like it has all the features,  except for a guest network ?
0
 
John HurstBusiness Consultant (Owner)Commented:
Cisco RV130 and 215 are Wireless VPN routers and will work
0
 
sidwelleAuthor Commented:
Can I use the NCP Secure Entry (www.ncp-e.com) software w/these models ?
0
 
John HurstBusiness Consultant (Owner)Commented:
You should be able to. I use NCP to log into my RV325 and that works. VPN for the RV130 and 215 is very similar.
0
 
sidwelleAuthor Commented:
Is there a license fee to enable the IPSEC or VPN features on the routers or the software ?
I noticed that earlier you mentioned Hardware support ?
0
 
sidwelleAuthor Commented:
Do you have to pay for each install of the NCP software ?  
Does it phone home or require a license key ?
0
 
John HurstBusiness Consultant (Owner)Commented:
You can get a discount on volume licenses. You go to their web site. I would get a trial first to see if it does what you want. There are a few picky points.

Once you know, you purchase a license and they email you the receipt and a key.

Yes, like most other software is calls home to verify the license.
0
 
sidwelleAuthor Commented:
Last question, I promise.

How does that compare to the client software provided by Cisco ?
Does Cisco charge per seat ?  or connection ?

I am setting up this network an accountant, and the simpler the better. I did see some other VPN products out there, but I need something that is "set and forget", never have to go back an maintain.
0
 
John HurstBusiness Consultant (Owner)Commented:
I do not know how much Cisco charges.

With respect to comparing software, NCP is the only client app I know that works in Vista, Windows 7, Windows 8/8.1 and Windows 10.

Cisco Anywhere Connect, Juniper Netscreen App, SafeNet Soft Remote, Shrew Soft all do not graduate to the next step up either at all for many months. I have use all the above as have clients at one time or another and we gave all that up for NCP.

NCP is CHEAP when you find out it just plain works. My clients growl quietly at the cost (it is pricey) but they will not return to lesser software.

Set and Forget: That is more or less how I use NCP. It is just there. It does have to be upgraded from time to time but the current version is 6 months old and is good in Windows 10 Build 1607 Version 14393.105 and below
1
 
sidwelleAuthor Commented:
How much did you have to pay for Cisco support ?

So the charges that I would incur:
2 routers     <  $300   each
Remote client software    ~ $150 / seat.

Anything I am missing ?   Is there a charge or key to enable the IPSEC tunnels or Client VPN tunnels on the devices ?
0
 
John HurstBusiness Consultant (Owner)Commented:
I do not have Cisco support. There is no charge for site-to-site tunnels on a Cisco RVxx router.

If you have set up VPN tunnels before, the Cisco RVxx GUI setup is fairly straightforward.

NCP works very well and they provide good support with the license. But do get a trial, set up and verify it meets your needs. It very much meets my needs.
0
 
sidwelleAuthor Commented:
Just went to the Cisco site and its pretty cryptic and you need to contact a partner and some other crap.

The NCP site seems pretty straight forward, $144/install, but the volume discounts don't kick in until you purchase 10+

I am going with a phased approach: 1.) Install the two routers and then 2.) try to setup the software client.

Question: Do you every have clients install the Software-VPN Clients and establish a connection to make that machine available to the other users behind the router at the office locations ?

I have seen it done once, but that was several years ago with a 3rd party VPN solution, don't think they are even in business anymore.
Even forgot the name !
0
 
John HurstBusiness Consultant (Owner)Commented:
For the latter question I use site to site, not client software
0
 
sidwelleAuthor Commented:
John, Qlemo, and Bing,  You have been a big help.  Now I know enough to move forward.

If I have any more questions/issues  I will create a new question and post the number here.

Thank You.
0
 
John HurstBusiness Consultant (Owner)Commented:
Thank you and I was happy to help you with this.
0
 
sidwelleAuthor Commented:
From looking at all the small business products on the Cisco site, the "RV130W Wireless-N Multifunction VPN Router" looks like it has the best specs.   Specs state that it supports up to 10 ISPEC tunnels ?

Compared to the next best product RV215W, its specs state that it only supports 1 ISPEC tunnel ?
Wondered why with a better number ?

Chatting with support, Agent stated that the RV215W was an outdated product.
0
 
bbaoIT ConsultantCommented:
to be honest, i am curious about why you don't prefer a solution using two TP-LiNK devices?

per my understanding it is just something that the tittle "IPSEC tunnel between TWO SMALL offices, BEST LOWCOST equipment" suggested.

BTW, a $40 TD-W8950N can support up to 10 IPSec tunnels hence it means each of your offices can connect to 10 sites.
0
 
John HurstBusiness Consultant (Owner)Commented:
Double check the RV215 specifications. My RV220W (now outdated) supports 25 tunnels and my RV325 (current) supports 50.

Yes, I guessed the RV215 might be out of date although it is a good router.
0
 
sidwelleAuthor Commented:
Does the TP-LiNK  support software VPN clients ?
I would consider it if it did.
0
 
sidwelleAuthor Commented:
From talking with the Cisco agent, who consequently called me this evening.  She stated that the RV130W is the most up-to-date small business router they are marketing right now.
0
 
bbaoIT ConsultantCommented:
the recommended TP-LINK device does NOT support VPN client as it is for site-to-site IPSec tunnels as the question title suggested.

however it does support VPN Pass Through on L2TP/PPTP/IPSec, which means a VPN server can sit behind the router.

think about the price, $40 for 10 IPSec tunnels. if you could afford Cisco things, it shouldn't be problem for you to add a dedicated VPN server if required.
0
 
sidwelleAuthor Commented:
This is for an accountant, and I need "Set and forget" setup !

They are not going to know the difference between the two or have a dedicated VPN server behind the scenes.  The  solution of a RV130W (one device) at each site also provides some redundancy.

My 2nd problem is that I don't know what type of connectivity will be provided at either end.  The offices are over 100 miles apart with different ISP/Telco companies with no possibility of making them the same.  I know as soon as they approach the ISP sales and ask for static IPs, there are going to be offered a solution from the ISP that they don't understand.  

If this was for me personally, I would totally go that route.

Thanks
0
 
John HurstBusiness Consultant (Owner)Commented:
Site to Site is absolutely transparent. Set it up and it works. My tunnels are very low maintenance.

External access via NCP requires setup and testing but once that has been done it is very reliable .
0
 
sidwelleAuthor Commented:
That's what I need !   Just its hard to find detailed specs on the RV130W, LIke:
Remote Access: does it support it and how many concurrent connections ?
0
 
John HurstBusiness Consultant (Owner)Commented:
Go to the Cisco Support site, Downloads and get the Setup PDF for the Cisco RV130. That will give you information on tunnels and setting them up.
0
 
sidwelleAuthor Commented:
The data-sheet for the RV130W states that the system will except 10 Remote IPsec tunnels from the "TheGreenBow and ShrewSoft VPN client"  I assume that the NPC is compatible as well ?

Reading the Setup PDF was good advice, found the file here: http://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/rv130w/admin_guide/en/rv130w_admin_en.pdf
0
 
John HurstBusiness Consultant (Owner)Commented:
NCP is compatible with that (but only one tunnel per user at one time). So 3 different users can have 3 different tunnels into the one box.
0
 
sidwelleAuthor Commented:
Can that one user be connected to multiple VPNs at one time ?

I have a problem where the current Cisco client that is configured does Not to allow me to use my local LAN when I have an active connection to our corporate network.  This prevents file transfers to other machines on my LAN at home and printing to my IP Network printer. When I do forget an try to print, the job just Q's in print Q and will finally print when the VPN is disabled, or sometimes not until the PC is reset.  (boot u'r PC, and as soon as the O.S. starts back up you sometimes get these print jobs that have been stuck in the print Q for over a month !, forgot why I even printed it !)

Does your NCP client suffer from issues like this ?
Can you enable/disable the local network ?
0
 
John HurstBusiness Consultant (Owner)Commented:
Can that one user be connected to multiple VPNs at one time ?

No, not with NCP. That is a basic security limitation. Disconnect one and connect the other.
0
 
QlemoC++ DeveloperCommented:
You'll have that issue of only-one-connect-per-client with all IPsec VPN clients I know of. With a client like NCP you'll have to use virtual machines to get around the limitation.

Going a different way, free OpenVPN (which uses SSL) can be set up on a client to be able to connect to more than one remote location at the same time. MS Routing and Remote Access (on a MS Server OS) is able to establish more than one IKEv2 IPsec tunnel at the same time.

Site to site tunnels can be and usually are simultanously used.
0
 
sidwelleAuthor Commented:
What about printing and access to the local LAN ?
Right now we can see the chkbox to allow access to the local LAN, but its grayed out !
0
 
John HurstBusiness Consultant (Owner)Commented:
Printing across a LAN works vastly better with site-to-site. I have done this.

You can log into a machine with NCP and then print from that machine. I have done that.
0
 
sidwelleAuthor Commented:
Sorry, not what I am asking.

I am sitting at home logged into our corporate VPN, bring up a document on the local PC and try to print to a printer on the local LAN. Only to find the O.S. tells me that the printer is un-available.
Can't ping or telnet to it ?  

The security of the VPN client disables all of there networks (effectively, how, don't know).
Nothing prints or accesses any systems on the LAN until the VPN is disconnected.
AnyConnect01.PNG
0
 
John HurstBusiness Consultant (Owner)Commented:
I have only done what you have asked with a site-to-site VPN, not gateway to site VPN (NCP).
0
 
QlemoC++ DeveloperCommented:
Cisco AnyConnect SMC is a SSL VPN client. The setting to allow local LAN access only works if the VPN device on the other site is configured to allow that, at least on Cisco ASAs. I don't know whether you can set something up on RVs accordingly.
0
 
sidwelleAuthor Commented:
Pretty sure you are right on Cisco thing.

Anyone ever use the GreenBow VPN client as opposed to the NCP client.
The reason that I ask is that I know the people that I am installing this for will chk the numbers and anywhere they can trim they will come back and question me.
Need to have that answer ahead of time !

Thanks
0
 
QlemoC++ DeveloperCommented:
GreenBow VPN was famous some time ago, and I guess the client is still popular. I didn't check it myself. John can tell a lot about the support of NCP, and everything I heard until now goes the same way (with nothing but cheers). Difficult to make a $ figure out of that, though ;-).
If you look at Shrew, it costs nothing (or not much if you want the full client), but hasn't received updates, and has no support but by the free forum. It is also not straight-forward to configure properly. If it runs, you win, if not, you pay a lot more (effort). For your scenario I cannot recommend that.
Of course it always counts if you can provide support for configuration and arising issues.
0
 
John HurstBusiness Consultant (Owner)Commented:
I have not used GreenBow.
NCP Support is excellent - We use their support for our Clients.
ShrewSoft was too troublesome to implement. Any cost saved was eaten up by paid technical support. ShrewSoft is NOT set and forget.
0
 
sidwelleAuthor Commented:
One more question:

What about wins or DNS support between networks:  If you are trying to access a machine on the other LAN, do you need to know the specific IP address or can you just call the PC by its name ?
Do I have to go  back and re-read the rules on how to setup a list-master on each side ?
Will the router or route(s) take care of this ?

Thanks
0
 
John HurstBusiness Consultant (Owner)Commented:
The routers will normally not do this. Set up DNS on both sides for the machines or use HOSTS files.
0
 
sidwelleAuthor Commented:
My experience with host files is they are painful and/or problematic.
I would like a solution that learns.

We use to setup Linux machines and load samba and config it as the list or Browse-master.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 25
  • 23
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now