3 Site VPN strategy

I've got single person in an office location who needs to access a lob application at site A and a different lob application at site B via RDP.

Site A and B don't need to communicate with one another.  

What would the most efficient and cost effective way to be to accomplish this, preferably using Sonicwall equipment?
LVL 1
Tom FI.T. and Support Staff ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Set the user up with a Sonic Wall and the other two sites with Sonic Walls and build site-to-site tunnels from User to A and User to B. I do this with Cisco routers and it works great.
0
Michael KaramoutchevCommented:
Split Tunnel

Please refer to SonicWall article below:
https://www.sonicwall.com/en-us/support/knowledge-base/170503392435592
0
JohnBusiness Consultant (Owner)Commented:
Whenever I set up site to site, they are always split tunnel.
0
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

Michael KaramoutchevCommented:
....Unless you setup a single WAN GroupVPN policy for this user. It's a configuration matter. Split Tunnelling allows you to refine what goes over VPN tunnel and what goes over default network connection.
0
JohnBusiness Consultant (Owner)Commented:
For site to site, tunneling is a hardware issue (done in Sonic Wall or other) and not related much to the OS.
0
Ashok DewanFreelancerCommented:
I believe sonicwall not having free version available. As mentioned you don't require site A to communicate with site B. Best way to use SonicWALL SSL VPN.
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
Will this be do-able if any of the sites have dynamic IP addresses?
0
JohnBusiness Consultant (Owner)Commented:
You can have the two business sites static and the user's office dynamic. This works, but assumes the dynamic address does not change frequently. Mine has not changed in about 2 years. ISP's are reluctant to change your IP because your activities are tied to it.
0
Blue Street TechLast KnightCommented:
Hi Tom,

FYI: You guys are conflating different terminologies. Tunneling via S2S (Site-to-Site) has no "Tunnel All Mode" or "Split Tunnel Mode" because you are connecting to two different networks. Those are both features specifically relating to C2S (Client-to-Site) VPNs. In SonicWALL C2S VPNs would be namely: SSL-VPN (Browser Add-on, NetExtender, MobileConnect) and GVC (Global VPN Client).

Please clarify if you are asking:
A) How can you connect Site A (SonicWALL A) and Site B (SonicWALL B) via a VPN and have a user/s connect remotely to both networks via C2S or
B)How can you have a user/s connect to both Sites and Site B when both sites cannot connected via a VPN (for whatever reason).

Scenario 1

You can achieve this by installing two SonicWALL appliances and setting up a S2S VPN between them. Then when the user in question needs remote access to both resources in sites A & B they can get them by accessing C2S VPNs, such as an SSL-VPN, on one of the SonicWALLs and thereby access the other network's resources via the VPN & static routes. Here's how to do this:
1. Make sure the SSL-VPN IP Pool is added to the Local Network in S2S Tunnel configuration on SonicWALL A and in the Remote Network (in VPN Zone) in SonicWALL B.
2. Go to SSL VPN > Client Settings > Edit profile > Client Routes tab and add a client route to the SonicWALL B network.
3. Go to Users > edit the user or user group which connects over SSL VPN | VPN Access tab and add the same VPN Network there.

Scenario 2

My question is do you want the user/s to be able to connect to both networks simultaneously or individually? Individually is not a problem. You can setup either an SSL-VPN or a GVC VPN and configure the clients so that the user/s can switch between the networks via profiles where the user/s are connected to one network at a time. This will provide the most security because you can setup Tunnel All Mode, which is a Security Best Practice. However, if you want the user/s to connect to both sites simultaneously you may run into issues and certainly you cannot setup either/any C2S VPN in Tunnel All Mode but rather Split Tunnel Mode. Since C2S VPNs can only connect to one network at a time you would need to setup an SSL-VPN on one SonicWALL and then on the other SonicWALL setup a GVC. You will have to test this configuration because it is not a typical request and therefore could be problematic. Alternatively, you could create a S2S with another device that supports IPSec.

Let me know if you have any questions!
0
JohnBusiness Consultant (Owner)Commented:
I use Cisco and Juniper boxes for this and can connect to all 3 tunnels simultaneously. That may be an option for you.
0
Blue Street TechLast KnightCommented:
Will this be do-able if any of the sites have dynamic IP addresses?
Please address my questions above so we can provide a solution...otherwise we are just spinning our wheels. If you are talking about S2S VPN yes you can configure it if one side has a dynamic IP address. The VPN Proposal Exchange mode would be Aggressive Mode, which has security vulnerabilities and will not pass any kind of decent security audit. To get around that you can either:
A) purchase a Public Static IP address from your ISP or
B) purchase/configure DDNS for the side that has a Public Dynamic IP address. In either case you would then be able to configure a S2S in Main Mode or an IKEv2 Mode.
0
JohnBusiness Consultant (Owner)Commented:
Site to Site in my configuration uses MAIN Mode.  Aggressive is for Client Software. I was addressing Site to Site.
0
Blue Street TechLast KnightCommented:
@John, the OP has not answered my questions yet. As I have annotated both scenarios are quite different and I need clarification on which the OP wants. SonicWALL can have a user connect to a VPN via C2V and access both firewalls if they are connected to a VPN via S2S. However, in the other scenario where the firewalls do not have a VPN connecting them and the user needs to connect to two networks simultaneously it is problematic to do so...not impossible! See what I mean...the two scenarios are quite different.
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
Ideally, I'd like the user to be able to connect to Site A and Site B at the same time.  I'd also prefer to have the sites connected via hardware, not client software for daily simplicity.
0
JohnBusiness Consultant (Owner)Commented:
I do what you want with Cisco routers. I am not sure if Sonic Wall supports multiple tunnels.
0
Blue Street TechLast KnightCommented:
@John -
Site to Site in my configuration uses MAIN Mode.  Aggressive is for Client Software. I was addressing Site to Site.
I'm sorry but you are incorrect on this one. We argued this in a previous question. Main Mode is a type of Proposal Exchange that requires both sides of the VPN to have Static Public IPs. Aggressive Mode again is another type of Proposal Exchange that is less secure (the Hash is not encrypted) and is only used when a Dynamic Public IP address exists on any end of the VPN tunnel. Therefore you cannot configure a Main Mode proposal with a dynamic IP address on either side!

This is also why in a C2S VPN, in most cases, you cannot configure the Proposal because, from the VPN server's perspective the Initiator of the VPN will always be dynamic as multiple users are logging in from multiple IPs, hence Aggressive Mode. In this regard the VPN Server see that the IPs must change to accommodate remote users so it doesn't matter if a user logs in from a static or dynamic IP...the fact is that as soon as another user logs in the Initiators IP changes, hence the other end of the VPN will be perpetually dynamic. So you were partially correct when you said, "Aggressive is for Client Software" but to leave it that definitively will only misinform EE users who do not understand VPNs. Aggressive Mode is for dynamic IPs would be the correct statement. So regardless, if the VPN is a S2S or a C2S if any end of the VPN is dynamic you must use Aggressive Mode or an alternative method such as IKEv2 or Main Mode w/DDNS.

I hope this helps you understand the differences a bit more.
1
JohnBusiness Consultant (Owner)Commented:
Therefore you cannot configure a Main Mode proposal with a dynamic IP address on either side!

My own site is dynamic, but as I pointed out above, I configure it as Static and change whenever I need to. I use MAIN mode on all my tunnels.

They all work and they all work simultaneously
0
Blue Street TechLast KnightCommented:
@Tom -
Ideally, I'd like the user to be able to connect to Site A and Site B at the same time.  I'd also prefer to have the sites connected via hardware, not client software for daily simplicity.
Yes, you can easily achieve this with two SonicWALLs at each site location. It would be Scenario 1 as I outlined in my previous comment: https:#a42438143

SonicWALLs can handle literally hundreds of C2S VPNs and up to 50 S2S VPNs concurrently. The distinguishing factor that I needed to know is that if the sites were not going to be joined together via a S2S then having a user connect to multiple C2S tunnels simultaneously was were things got a bit odd.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
@John - where do I begin....

This is not the design of Main Mode. You are most likely implementing DDNS or some other facet like "I configure it as Static and change whenever I need to." to counter it. You shouldn't ever need to change anything...it is a S2S VPN...unless the peer changes it's IP, again, hence dynamic, hence you should be either implementing Main Mode w/DDNS, IKEv2 or Aggressive Mode. I'm trying to educate you on the facts. What you are saying is plain wrong: Main Mode DOES NOT equal S2S and Aggressive Mode DOES NOT equal C2S - to say otherwise is technically inaccurate! :) Study up on VPN Proposal Exchanges and get back to me off this thread and I think you'll agree with me. I'm not pontificating here it is very black and white.
0
JohnBusiness Consultant (Owner)Commented:
I use Main Mode and it works fine

You (Blue Street Tech) are trying to tell the world I don't know what I am doing. I DO know what I am doing and posting my experiences that's all.

Argue away if you must.

Bye All
0
Blue Street TechLast KnightCommented:
None of us are perfect and we are all learning. EE is a place just for that. I'm not trying to tell the world you don't know what you are doing but rather correcting one small aspect that can affect someone else's learning significantly. It is not personal at all. We are in the scientific community not the liberal arts and so our answers must reflect that accordingly: there are right and wrong ways of doing things in IT irrespective of subjectivity. I think you have a tremendous amount of knowledge and I respect that. I have said things on EE that were plain wrong in the past...all of us have...we are not gods! As we continue to learn as Experts hopefully it is an iron sharpens iron concept. :)
0
Tom FI.T. and Support Staff ManagerAuthor Commented:
Ok, then to clarify a little... a Sonicwall at each site... preferably those two have static IPs, connect them S2S.  Connect the end user via NetExtender to either of the sites, by which then they'd have access to both networks.
1
Blue Street TechLast KnightCommented:
Precisely!
0
Blue Street TechLast KnightCommented:
Hi Tom,

Did my comment address your questions: https:#a42438143 (see Scenario 1 - setup a S2S VPN and use SSL-VPN so user can gain access to both network resources) if so please select as Best Solution to close this question. If you have more questions please keep them coming!

Let me know. Thanks!
0
Dan CraciunIT ConsultantCommented:
This is basically a road warrior case.
Set up one SSTP server on each location, then have the user connect to both VPNs. No need for expensive hardware.

HTH,
Dan
0
Blue Street TechLast KnightCommented:
@Dan, not sure if you read all the back and forth but the OP preferably wants to set this up using SonicWALL equipment and is setting up a S2S VPN tunnel between the two offices with an SSL-VPN for the end-user. We had to get through if the OP actually wanted to setup a S2S VPN or have the end-user connect two C2S VPNS simultaneously, which was unclear based on his questoin. :)
0
Dan CraciunIT ConsultantCommented:
I saw you and John arguing and I stopped reading :)

On a side note, for the past couple of years I'm using OpenVPN for S2S tunnels and SSTP for C2S tunnels whenever I can.
OpenVPN because it's open source and not broken yet and SSTP because it has a built in client in Windows (and it's not broken yet).
0
Blue Street TechLast KnightCommented:
I saw you and John arguing and I stopped reading :)
LOL :D It has forced me to write an article so that others can understand the Main Mode exchange was innately not designed to use dynamic IPs...though it can be forceably accomplished by poor workarounds...it wasn't designed to and is not smart to do so from an pragmatic & security standpoint! Here I go again... oh boy.

Yes, agreed. I'm a big fan of OpenVPN especially when VPN services (VPNaaS) are required. IPSec has not been cracked to my knowledge unless you are referring to Aggressive Mode, which was a poor design, IMO, from the start since the Hash was never encrypted thereby the IDii & IDir (the identities) were ripe for the picking.
0
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!
0
Michael KaramoutchevCommented:
Seems like the client will finally make a decision on firewall technology at site A and site B, because there is no IPSEC capability, or is not utilized for the need.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.