jimbopalmer
Programmer
No problems. Just a report on what I have done so far.
I am (slowly) building a hub and spoke VPN for a Mental Health Agency. HIPPA makes it important to find secure ways to share Patient data.
Hub1: Router: Linksys RV042 with 5 IPSec end points (out of an available 50) ISP: CableOne LAN Subnet: 192.168.1.0/24
Spoke 2: Router Netopia 3347NWG with 1 IPSec end point (1 of 1 with Bellsouth firmware) ISP: AT&T exBellsouth LAN Subnet: 192.168.2.0/24
Spoke 3: Router: Linksys RV042 with 1 IPSec end points (out of an available 50) ISP: Comcast LAN Subnet: 192.168.3.0/24
Spoke 4: Router Netopia 3347NWG with 1 IPSec end point (1 of 1 with Bellsouth firmware) ISP: AT&T exBellsouth LAN Subnet: 192.168.4.0/24
Spoke 5: Router: Linksys RV042 with 1 IPSec end points (out of an available 50) ISP: NetWireless Solutions LAN Subnet: 192.168.5.0/24 (Local WISP, backhaul is via T1)
Spoke 6: Router: Linksys WRV210 with 1 IPSec end points (out of an available 5) ISP: RoadRunner LAN Subnet: 192.168.123.0/24
Looking at that list, some will question why I have so many ISPs. Bellsouth is not available at locations 1, 3, and 5. CableOne is only available at locations 1 and 4. Comcast is the only ISP available at location 3. NetWireless Solutions is the only available ISP at location 5. (I am not considering satellite for VPN)
Multiple ISPs severely slows the VPN, as routing is not ideal. As an example Spoke 6 to Hub 1 is actually 55 miles, but a TRACRT goes through these cities in 110 ms:
Greenwood MS
Atlanta GA
Washington DC
Pennsylvania PA
Cleveland OH
Detroit MI (all routes to the Hub from any spoke go through Detroit)
Memphis TN
Clarksdale MS
Finding some common ISP would speed up traffic.
Bellsouth provides a Netopia 3347NWG ‘for free.’ I used Linksys RV042s when I had to buy a router, I am trying out the WRV210 in my home before using it at the client. Default compatibility between the RV042 and the 3347NWG is better than that between the RV042 and the WRV210. The WRV210 uses 3DES and DH group 2 as defaults, both the others default to DES and DH group 1, which is not offered in the WRV210. (3DES and DH 2 provide better security, they are just not the default of the other routers) The Netopia cannot start a VPN link without a reboot, both Linksys routers have ‘connect’ buttons. I have ‘stay alive’ on the Hub to keep the Netopias from being a pain.
If you configure the locations with 192.168.x.0/24 subnets in the VPN, all the Spokes can see the Hub and the Hub can see all Spokes, but the Spokes can’t see each other. The trick is to configure the Hub as 192.168.0.0/16 (override errors in the RV042s) in the VPN settings, then the Spokes can see each other. (very slowly) I can’t do a Mesh VPN as the Netopias have a single IPSec Endpoint. Netopia (now Motorola) makes an ENT upgrade that allows 16 endpoints, but that is not 'free.' Also, it lacks a web interface that the consumer version has, so Bellsouth won't provide support. My 'other client with a VPN uses all 3347s on Bellsouth, we were surprised when they would not support the telnet interface.
The Netopias only allow IP addresses and have no DDNS clients built in. The Linksys routers allow FQDN (Fully Qualified Domain Names) and have built in DDNS clients. So far I am using all IP addresses, but I would prefer FQDN and let the spokes be Dynamic IP Addresses. It appears that I would need 5 FQDN for the Hub, as the software thinks each endpoint FQDN has to be unique.
VNC, TN5250, TCP printing, and device synchronization work fine, my next application is an appointments tracker that works distributed locally, but so far has eluded me remotely, I am turning on NetBIOS broadcast on the RV042s.
I tried to remain child-like, all I acheived was childish.
I am (slowly) building a hub and spoke VPN for a Mental Health Agency. HIPPA makes it important to find secure ways to share Patient data.
Hub1: Router: Linksys RV042 with 5 IPSec end points (out of an available 50) ISP: CableOne LAN Subnet: 192.168.1.0/24
Spoke 2: Router Netopia 3347NWG with 1 IPSec end point (1 of 1 with Bellsouth firmware) ISP: AT&T exBellsouth LAN Subnet: 192.168.2.0/24
Spoke 3: Router: Linksys RV042 with 1 IPSec end points (out of an available 50) ISP: Comcast LAN Subnet: 192.168.3.0/24
Spoke 4: Router Netopia 3347NWG with 1 IPSec end point (1 of 1 with Bellsouth firmware) ISP: AT&T exBellsouth LAN Subnet: 192.168.4.0/24
Spoke 5: Router: Linksys RV042 with 1 IPSec end points (out of an available 50) ISP: NetWireless Solutions LAN Subnet: 192.168.5.0/24 (Local WISP, backhaul is via T1)
Spoke 6: Router: Linksys WRV210 with 1 IPSec end points (out of an available 5) ISP: RoadRunner LAN Subnet: 192.168.123.0/24
Looking at that list, some will question why I have so many ISPs. Bellsouth is not available at locations 1, 3, and 5. CableOne is only available at locations 1 and 4. Comcast is the only ISP available at location 3. NetWireless Solutions is the only available ISP at location 5. (I am not considering satellite for VPN)
Multiple ISPs severely slows the VPN, as routing is not ideal. As an example Spoke 6 to Hub 1 is actually 55 miles, but a TRACRT goes through these cities in 110 ms:
Greenwood MS
Atlanta GA
Washington DC
Pennsylvania PA
Cleveland OH
Detroit MI (all routes to the Hub from any spoke go through Detroit)
Memphis TN
Clarksdale MS
Finding some common ISP would speed up traffic.
Bellsouth provides a Netopia 3347NWG ‘for free.’ I used Linksys RV042s when I had to buy a router, I am trying out the WRV210 in my home before using it at the client. Default compatibility between the RV042 and the 3347NWG is better than that between the RV042 and the WRV210. The WRV210 uses 3DES and DH group 2 as defaults, both the others default to DES and DH group 1, which is not offered in the WRV210. (3DES and DH 2 provide better security, they are just not the default of the other routers) The Netopia cannot start a VPN link without a reboot, both Linksys routers have ‘connect’ buttons. I have ‘stay alive’ on the Hub to keep the Netopias from being a pain.
If you configure the locations with 192.168.x.0/24 subnets in the VPN, all the Spokes can see the Hub and the Hub can see all Spokes, but the Spokes can’t see each other. The trick is to configure the Hub as 192.168.0.0/16 (override errors in the RV042s) in the VPN settings, then the Spokes can see each other. (very slowly) I can’t do a Mesh VPN as the Netopias have a single IPSec Endpoint. Netopia (now Motorola) makes an ENT upgrade that allows 16 endpoints, but that is not 'free.' Also, it lacks a web interface that the consumer version has, so Bellsouth won't provide support. My 'other client with a VPN uses all 3347s on Bellsouth, we were surprised when they would not support the telnet interface.
The Netopias only allow IP addresses and have no DDNS clients built in. The Linksys routers allow FQDN (Fully Qualified Domain Names) and have built in DDNS clients. So far I am using all IP addresses, but I would prefer FQDN and let the spokes be Dynamic IP Addresses. It appears that I would need 5 FQDN for the Hub, as the software thinks each endpoint FQDN has to be unique.
VNC, TN5250, TCP printing, and device synchronization work fine, my next application is an appointments tracker that works distributed locally, but so far has eluded me remotely, I am turning on NetBIOS broadcast on the RV042s.
I tried to remain child-like, all I acheived was childish.