Solved

ipsec tunnel between two small offices, best lowcost equipment

Posted on 2016-09-11
56
106 Views
Last Modified: 2016-09-16
I am setting up a connection between two small offices and think that an IPSEC tunnel is the best option to allow uses to share desktops and files.
Can someone recommend a IPSEC routers that a small business w/6 users (3 at each location) could afford ?

-> Reliable and easy to troubleshoot and configure ?
-> Does the equipment need to be connected directly to the internet ?
     (some small incubator offices provide internet service, and a direct connection may not be an option)

Thank you.
0
Comment
Question by:sidwelle
  • 25
  • 23
  • 5
  • +1
56 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 300 total points
ID: 41793521
I use a Cisco RV320/325 router to do this and have site to site IPsec tunnels to several of my clients. Works fine.
0
 

Author Comment

by:sidwelle
ID: 41793536
How much maintenance is required ?
Expensive ?   I see prices on Amazon from $200 - $300  (Correct ?)
What type of connection do I need form our ISP ?  Coax ?  Ethernet ?

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41793548
I think I paid about $300 CDN for the router from my supplier.

It permits 50 Tunnels. There is no maintenance but only hardware support. You need to build your own tunnels.

Connection is Ethernet so you put it in front of your cable or DSL modem.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 41793552
IPsec tunnels are much easier to maintain and more reliable if they are NOT behind an internet gateway performing NAT for private IPs, so it is better to have the same device performing internet services and IPsec.
If you use same or similar devices on all ends, maintenance is usually low, and you have a broad range of devices you can choose from. In general the cheaper, the less flexibility - e.g. many low-budget devices require to be the internet gateway, because you cannot switch the WAN port to be bridged (LAN) instead.

We cannot recommend something reasonable and cheap, as only you can know (but might not in its whole) what is required, and would work for you. However, the recommended Cisco RVs are a good start - being from the Linksys branch, they are layed out to be easy to configure, but not really that flexible. (Opposed to the real Cisco devices, which are complex but flexible).
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41793572
That is a good point. I bridge my modem so that the VPN router is directly seeing the external IP address. NAT is done within the router, not the modem. Even though I have 2 boxes, the bridging keeps it simple and reliable.
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 100 total points
ID: 41793576
i would recommend:

TP-Link TD-W8950N 150Mbps ADSL 2/2+ Modem Router Broadband

it is just $40 on eBay. for this price, it even includes a free SanDisk Ultra 16GB MicroSD card.  

http://www.ebay.com.au/itm/281608075731

its IPSec VPN feature looks like a secret of the product, i didn't realise its cool features before buying it online from eBay. the spec of its official product page also never mentioned it, until i found its IPSec option in its advanced settings. FYI i bought it to replace my broken ASDL modem, never expected anything more than that, but it came with IPSec VPN, IP Tunnel (6in4 and 4in6), QoS, Bandwidth Control, Interface Grouping and even IPTV and Guest Wireless!

Screen-Shot-2016-09-12-at-09.39.11.png

Official Product Page:
http://www.tp-link.com/no/products/details/cat-15_TD-W8950N.html

per its user manual, see below, it "supports up to 10 VPN tunnels simultaneously", which is amazing for such a cheap router. per my experience, its VPN speed and stability is not bad.

Screen-Shot-2016-09-12-at-09.26.28.png
as the router doesn't support SSL for remote management via web, its IPSec feature fills the gap allowing me to remotely manage it across the internet.

the router supports ADSL2+ (modem included) and Ethernet for WAN, provides 3+1 LAN ports (+1 if using ADSL2+) and 150 Mbps 802.11b/g/n wireless.

something bad? yes, its web console looks a bit ugly, and its web UI restarts the router for most setting changes (really not necessary).
0
 

Author Comment

by:sidwelle
ID: 41793604
Can you recommend a device (Cisco or other) that allows IPSEC tunnels and a software VPN version that allows staff not in one of the offices to install a software VPN client and access the network while on the road ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41793605
I use the Cisco RV device mentioned, and I use NCP Secure Entry (www.ncp-e.com) to log into it and other client machines.  All works great.
0
 

Author Comment

by:sidwelle
ID: 41793636
So you pay like $150 /install ?  How is this managed ?  Is this better than the client that Cisco offers ?
Could this in anyway void the Cisco warranty ?  

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41793643
Cisco client software is not very robust. I use NCP because it is very nearly bomb proof. My clients all use it because it never fails them and that is very important.
0
 

Author Comment

by:sidwelle
ID: 41794313
I guess I am kind of new at internet networking.  I create a lot of apps that network, but I rely on our network team at work to provide the internet connection.

What type of connection can I expect a standard ISP to provide ?  and will this Cisco RV320/325 have that connection or do I have to have another Modem/device between the RV32x and the ISP ?
At our home-office we have coax connection and we purchased our own DOCSIS 3 modem and just provided the ISP w/MAC address.

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41794333
You need to connect the Cisco RV320/325 to the Modem supplied by the ISP. Put the modem in Bridge mode.
0
 

Author Comment

by:sidwelle
ID: 41794449
Do I need to specify static IPs from my IPSs at each end ?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 100 total points
ID: 41794469
At least one end should have a static IP in the "classic view". Some devices allow for dynamic IPs on both sides, e.g. by supplying a (Dyn)DNS name instead.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41794496
Do I need to specify static IPs from my IPSs at each end ?  

As Qlemo notes, at least one end needs to be static.

Where I am, my dynamic IP does not change for years on end, so I just treat it as static.
0
 

Author Comment

by:sidwelle
ID: 41795043
Thinking about it, I would ask for static IPs at both ends.  This way if one of the IPSs or routers fail on one end, users can always dial into the other system.  or systems on both ends can be reached w/o have to transvers a 2nd VPN. (Latency ?)

From looking at the Soho Routers on Ciscos' site, the "Cisco RV130W Wireless-N Multifunction VPN Router" looks like a better option.  Probably because it supports wireless.   or
"Cisco RV215W"  Not really sure that the numbers indicate.

Looks like it has all the features,  except for a guest network ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41795050
Cisco RV130 and 215 are Wireless VPN routers and will work
0
 

Author Comment

by:sidwelle
ID: 41795187
Can I use the NCP Secure Entry (www.ncp-e.com) software w/these models ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41795192
You should be able to. I use NCP to log into my RV325 and that works. VPN for the RV130 and 215 is very similar.
0
 

Author Comment

by:sidwelle
ID: 41795196
Is there a license fee to enable the IPSEC or VPN features on the routers or the software ?
I noticed that earlier you mentioned Hardware support ?
0
 

Author Comment

by:sidwelle
ID: 41795198
Do you have to pay for each install of the NCP software ?  
Does it phone home or require a license key ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41795203
You can get a discount on volume licenses. You go to their web site. I would get a trial first to see if it does what you want. There are a few picky points.

Once you know, you purchase a license and they email you the receipt and a key.

Yes, like most other software is calls home to verify the license.
0
 

Author Comment

by:sidwelle
ID: 41795262
Last question, I promise.

How does that compare to the client software provided by Cisco ?
Does Cisco charge per seat ?  or connection ?

I am setting up this network an accountant, and the simpler the better. I did see some other VPN products out there, but I need something that is "set and forget", never have to go back an maintain.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41795269
I do not know how much Cisco charges.

With respect to comparing software, NCP is the only client app I know that works in Vista, Windows 7, Windows 8/8.1 and Windows 10.

Cisco Anywhere Connect, Juniper Netscreen App, SafeNet Soft Remote, Shrew Soft all do not graduate to the next step up either at all for many months. I have use all the above as have clients at one time or another and we gave all that up for NCP.

NCP is CHEAP when you find out it just plain works. My clients growl quietly at the cost (it is pricey) but they will not return to lesser software.

Set and Forget: That is more or less how I use NCP. It is just there. It does have to be upgraded from time to time but the current version is 6 months old and is good in Windows 10 Build 1607 Version 14393.105 and below
1
 

Author Comment

by:sidwelle
ID: 41795824
How much did you have to pay for Cisco support ?

So the charges that I would incur:
2 routers     <  $300   each
Remote client software    ~ $150 / seat.

Anything I am missing ?   Is there a charge or key to enable the IPSEC tunnels or Client VPN tunnels on the devices ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41795855
I do not have Cisco support. There is no charge for site-to-site tunnels on a Cisco RVxx router.

If you have set up VPN tunnels before, the Cisco RVxx GUI setup is fairly straightforward.

NCP works very well and they provide good support with the license. But do get a trial, set up and verify it meets your needs. It very much meets my needs.
0
 

Author Comment

by:sidwelle
ID: 41796175
Just went to the Cisco site and its pretty cryptic and you need to contact a partner and some other crap.

The NCP site seems pretty straight forward, $144/install, but the volume discounts don't kick in until you purchase 10+

I am going with a phased approach: 1.) Install the two routers and then 2.) try to setup the software client.

Question: Do you every have clients install the Software-VPN Clients and establish a connection to make that machine available to the other users behind the router at the office locations ?

I have seen it done once, but that was several years ago with a 3rd party VPN solution, don't think they are even in business anymore.
Even forgot the name !
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41796185
For the latter question I use site to site, not client software
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Closing Comment

by:sidwelle
ID: 41796254
John, Qlemo, and Bing,  You have been a big help.  Now I know enough to move forward.

If I have any more questions/issues  I will create a new question and post the number here.

Thank You.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41796626
Thank you and I was happy to help you with this.
0
 

Author Comment

by:sidwelle
ID: 41797040
From looking at all the small business products on the Cisco site, the "RV130W Wireless-N Multifunction VPN Router" looks like it has the best specs.   Specs state that it supports up to 10 ISPEC tunnels ?

Compared to the next best product RV215W, its specs state that it only supports 1 ISPEC tunnel ?
Wondered why with a better number ?

Chatting with support, Agent stated that the RV215W was an outdated product.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41797073
to be honest, i am curious about why you don't prefer a solution using two TP-LiNK devices?

per my understanding it is just something that the tittle "IPSEC tunnel between TWO SMALL offices, BEST LOWCOST equipment" suggested.

BTW, a $40 TD-W8950N can support up to 10 IPSec tunnels hence it means each of your offices can connect to 10 sites.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41797076
Double check the RV215 specifications. My RV220W (now outdated) supports 25 tunnels and my RV325 (current) supports 50.

Yes, I guessed the RV215 might be out of date although it is a good router.
0
 

Author Comment

by:sidwelle
ID: 41797163
Does the TP-LiNK  support software VPN clients ?
I would consider it if it did.
0
 

Author Comment

by:sidwelle
ID: 41797246
From talking with the Cisco agent, who consequently called me this evening.  She stated that the RV130W is the most up-to-date small business router they are marketing right now.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41797617
the recommended TP-LINK device does NOT support VPN client as it is for site-to-site IPSec tunnels as the question title suggested.

however it does support VPN Pass Through on L2TP/PPTP/IPSec, which means a VPN server can sit behind the router.

think about the price, $40 for 10 IPSec tunnels. if you could afford Cisco things, it shouldn't be problem for you to add a dedicated VPN server if required.
0
 

Author Comment

by:sidwelle
ID: 41797648
This is for an accountant, and I need "Set and forget" setup !

They are not going to know the difference between the two or have a dedicated VPN server behind the scenes.  The  solution of a RV130W (one device) at each site also provides some redundancy.

My 2nd problem is that I don't know what type of connectivity will be provided at either end.  The offices are over 100 miles apart with different ISP/Telco companies with no possibility of making them the same.  I know as soon as they approach the ISP sales and ask for static IPs, there are going to be offered a solution from the ISP that they don't understand.  

If this was for me personally, I would totally go that route.

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41797652
Site to Site is absolutely transparent. Set it up and it works. My tunnels are very low maintenance.

External access via NCP requires setup and testing but once that has been done it is very reliable .
0
 

Author Comment

by:sidwelle
ID: 41797756
That's what I need !   Just its hard to find detailed specs on the RV130W, LIke:
Remote Access: does it support it and how many concurrent connections ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41797812
Go to the Cisco Support site, Downloads and get the Setup PDF for the Cisco RV130. That will give you information on tunnels and setting them up.
0
 

Author Comment

by:sidwelle
ID: 41798263
The data-sheet for the RV130W states that the system will except 10 Remote IPsec tunnels from the "TheGreenBow and ShrewSoft VPN client"  I assume that the NPC is compatible as well ?

Reading the Setup PDF was good advice, found the file here: http://www.cisco.com/c/dam/en/us/td/docs/routers/csbr/rv130w/admin_guide/en/rv130w_admin_en.pdf
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41798265
NCP is compatible with that (but only one tunnel per user at one time). So 3 different users can have 3 different tunnels into the one box.
0
 

Author Comment

by:sidwelle
ID: 41798290
Can that one user be connected to multiple VPNs at one time ?

I have a problem where the current Cisco client that is configured does Not to allow me to use my local LAN when I have an active connection to our corporate network.  This prevents file transfers to other machines on my LAN at home and printing to my IP Network printer. When I do forget an try to print, the job just Q's in print Q and will finally print when the VPN is disabled, or sometimes not until the PC is reset.  (boot u'r PC, and as soon as the O.S. starts back up you sometimes get these print jobs that have been stuck in the print Q for over a month !, forgot why I even printed it !)

Does your NCP client suffer from issues like this ?
Can you enable/disable the local network ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41798318
Can that one user be connected to multiple VPNs at one time ?

No, not with NCP. That is a basic security limitation. Disconnect one and connect the other.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41798528
You'll have that issue of only-one-connect-per-client with all IPsec VPN clients I know of. With a client like NCP you'll have to use virtual machines to get around the limitation.

Going a different way, free OpenVPN (which uses SSL) can be set up on a client to be able to connect to more than one remote location at the same time. MS Routing and Remote Access (on a MS Server OS) is able to establish more than one IKEv2 IPsec tunnel at the same time.

Site to site tunnels can be and usually are simultanously used.
0
 

Author Comment

by:sidwelle
ID: 41798589
What about printing and access to the local LAN ?
Right now we can see the chkbox to allow access to the local LAN, but its grayed out !
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41798743
Printing across a LAN works vastly better with site-to-site. I have done this.

You can log into a machine with NCP and then print from that machine. I have done that.
0
 

Author Comment

by:sidwelle
ID: 41798780
Sorry, not what I am asking.

I am sitting at home logged into our corporate VPN, bring up a document on the local PC and try to print to a printer on the local LAN. Only to find the O.S. tells me that the printer is un-available.
Can't ping or telnet to it ?  

The security of the VPN client disables all of there networks (effectively, how, don't know).
Nothing prints or accesses any systems on the LAN until the VPN is disconnected.
AnyConnect01.PNG
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41798799
I have only done what you have asked with a site-to-site VPN, not gateway to site VPN (NCP).
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41798816
Cisco AnyConnect SMC is a SSL VPN client. The setting to allow local LAN access only works if the VPN device on the other site is configured to allow that, at least on Cisco ASAs. I don't know whether you can set something up on RVs accordingly.
0
 

Author Comment

by:sidwelle
ID: 41801425
Pretty sure you are right on Cisco thing.

Anyone ever use the GreenBow VPN client as opposed to the NCP client.
The reason that I ask is that I know the people that I am installing this for will chk the numbers and anywhere they can trim they will come back and question me.
Need to have that answer ahead of time !

Thanks
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 41801539
GreenBow VPN was famous some time ago, and I guess the client is still popular. I didn't check it myself. John can tell a lot about the support of NCP, and everything I heard until now goes the same way (with nothing but cheers). Difficult to make a $ figure out of that, though ;-).
If you look at Shrew, it costs nothing (or not much if you want the full client), but hasn't received updates, and has no support but by the free forum. It is also not straight-forward to configure properly. If it runs, you win, if not, you pay a lot more (effort). For your scenario I cannot recommend that.
Of course it always counts if you can provide support for configuration and arising issues.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41801549
I have not used GreenBow.
NCP Support is excellent - We use their support for our Clients.
ShrewSoft was too troublesome to implement. Any cost saved was eaten up by paid technical support. ShrewSoft is NOT set and forget.
0
 

Author Comment

by:sidwelle
ID: 41802200
One more question:

What about wins or DNS support between networks:  If you are trying to access a machine on the other LAN, do you need to know the specific IP address or can you just call the PC by its name ?
Do I have to go  back and re-read the rules on how to setup a list-master on each side ?
Will the router or route(s) take care of this ?

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41802202
The routers will normally not do this. Set up DNS on both sides for the machines or use HOSTS files.
0
 

Author Comment

by:sidwelle
ID: 41802219
My experience with host files is they are painful and/or problematic.
I would like a solution that learns.

We use to setup Linux machines and load samba and config it as the list or Browse-master.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now