Complex (2 Me) VPN via ADSL

[GriffMG]

Hi,

New to VPNs. Have a client with a head office in central London, and a number of building sites spread around the south east (mostly London).

Currently using BT EquIP to provide access to in-house servers (for an accounts system, intranet and exchange server). Running large bills on ISDN lines!

Want to use ADSL to allow sites to VPN to servers in office.

Planning to use Draytek 2600 boxes, have ADSL on site and another run into the main office for a pilot scheme with just one site. All others will remain on ISDN.BT EquIP.

Are there going to be problems with servers talking through correct gateways/routers - or will they just route back the way data came in?

Sorry if this is confused... just looking out for gotchas!

TIA
Regards

Griff
Keep [Smile]ing

 

[joelsatt]

You'll need a VPN client (software) or a VPN router to sit behind your Draytek DSL box to get a VPN session into your network.

Also a VPN device in the central office.

 

[GriffMG]

Joel,

Thanks for that, I have bought Draytek 2600 boxes, which have built in VPN to VPN (router to router) capability - so I shouldn't need any client software - except for the odd remote worker on a dial-up link.

My concern is at the central office, the servers will probably have a default gateway defined already, so to communicate to machines beyond their local sub-net they will want to route traffic via that.

I want to introduce the new ADSL router for communicating with one or two site initially and am not sure if I'm going to need to fit second NICs in the servers (or if by some miracle it will just work).


TIA Regards

Griff
Keep [Smile]ing

 

[GriffMG]

Thanks to anyone who read my query, and even thought of answering what to you probably seems so basic that it was embarrassing...

I think I've worked it out...

On each of the machines located in the central office, that I want to provide services to the remote site, I add a gateway route - i.e. tell that machine to go to the new VPN router for calls in the subnet x.x.x.0

I have found the linux command for doing this:

route add x.x.x.0 gw y.y.y.1

and I guess it is similar in most brands of unix, which just leaves the NT box doing intranet work!

Have I got this about right?

TIA
Regards

Griff
Keep [Smile]ing

 

[EddieVenus]

Well except that for all the remote sites you will need different subnets, since you will be sending everything for the above mentioned, although remarkably vague, subnet out the VPN tunnel to site 1.

You will need to make sure not to NAT all the addresses from remote sites on their gateway accross the tunnel too.

And then you will have to also make sure that the main sites Draytek can handle the amount of tunnels you are looking to build. This is a concern since the overhead of the encryption for a tunnel gets to be pretty substantial after only a few tunnels, especially on a lower bandwith line.

Eddie Venus

 

[GriffMG]

Eddie,

Thank you for that, the remote site is on a different subnet, it has to be to establish the existing route via BT EquIP system.

The DrayTek boxes have firmware which supports, apparently, up to 16 VPN tunnels - although the paperworks says just 8.

If the pilot with one site is successful, hoping to set it up next week, the plan is to bring a couple of others on to the same approach. The intent being to use perhaps as many as 3 incoming lines at the central office all with relatively modest bandwidth - to provide a reasonable level of risk management.

I think I understand the NAT bit, and assume you mean only
on the VPN section as pretty clearly I would want NAT on the sites internet access. I am not 100% sure how / whether the Draytek boxes handle NAT via VPN.

Thank you again.

Regards

Griff
Keep [Smile]ing