Linksys VPN routers... 8

[gacollier]

Has anyone used a Linksys RV082 for site-to-site VPN? I'm looking for a fairly robust, yet inexpensive site-to-site-to-site VPN solution. I'm thinking of using the RV082 at the main office, and Wireless-G WRV54G for (3) branch offices locations. Can anyone give me feedback on if this is the right type of equipment?

Thanks in advance.

 

[deeno]

We have 2 remote offices linked to our main office. All the offices, including the main office, use the RV082. The Router to Router function seems to work well and is easy to get running. I am having an issue with this product and NAT-T, but I don't think that would apply to your setup (only if you're having traveling employees connect, as in client to VPN).

I have an WRV54G at home, and while it works, I'm not impressed. If you can, I'd recommend the RV082 in all the offices, and if you need wireless then just get a wireless bridge.

Good luck and keep us posted!

 

[gacollier]

Deeno,

Thanks for the input. I'm curious as to why you suggest the RV082 at all sites vs. the WRV54G? Outside of the wireless, and the dual I-Net connections, what's the difference? Also, has anyone used the BEFVP41 Cable/DSL VPN Router?

Again, thanks in advance.

 

[deeno]

There are a number of differences in the two devices. I recommend that you check out the two product manuals on the linksys site.

RV082 Manual:
ftp://ftp.linksys.com/pdf/rv082_ug.pdf

WRV54G Manual:
ftp://ftp.linksys.com/pdf/wrv54g_ug.pdf

Back in the Windows 3.11 and 95 days, I had sworn to never purchase another Linksys product again. I simply couldn’t get their stuff to work correctly. So, as you can imagine, I was skeptical when I purchased our first RV082. And I only purchased it because I was in a bind and I needed something quick.

After installing the RV082, I was so pleased with its performance that I purchased 3 more for some of our remote offices (one hasn’t been setup yet). Again, the product worked without a glitch. At that point I purchased the WRV54G for home use.

Don’t get me wrong, the WRV54G works fairly well as a router, I’m just not impressed with the options it has. I wouldn’t buy it with high expectations on the VPN side of things. And I personally wouldn’t put it into one of our offices.

I can’t offer any insight on the BEFVP41, but you may be interested in another company’s products as well, check out

http://www.zyxel.com.

They are supposed to have good products and excellent customer service/support. As you may or may not know, Linksys customer support isn’t known for being that great.

 

[gacollier]

Deeno,

I'm taking your advice. I'm going with the RV082 for all sites. After reviewing the documentation, I like the dual Internet for potential backup options, as well as SPI support. I'll let you know how it turns out.

Thanks again!

Greg

 

[sseaner]

Deeno, thanks for the great post. I am new to VPN and was sucked in and bought the WRV54G. You are right on the money as it is a terrible piece of equipment. My question is that I have a Win2k server running RAS. With the router to router VPN do I still need to run RAS? Once I have my two RV082 routers up and running, how do I configure the connection from one office to the other? One more question. Have you used the dual internet connections and if so did it increase performance or just redundancy?

Thanks in advance......

 

[deeno]

Sseaner

I’m glad the post helped you out. I have learned something since then, and that is that people have successfully connected 2 WRV54G devices together. Unfortunately, though, this kind of connection has only been established with a WRV54G on each end. This isn’t really helpful in meeting the needs of most people.

Anyway, you do not need to have RAS configured on your W2K server. The routers will take care of establishing and managing the connection. Once the RV082 VPN is established, it will be like your computers are physically in the same place. You should be able to ping computers across the tunnel, access shares, establish a terminal service window, and just about do whatever you need. There may be a problem with NetBIOS names being transferred across the tunnel, but if you have a DNS or WINS server running, and if they are referenced correctly on the client side, things should work for you. If you use IP addresses instead of computer names, there shouldn’t be a problem.

One thing to consider is that each location (home and office for example) will have to be on a separate subnet. I personally use the 10.1.1.0 network with a 255.255.255.0 subnet at work, and at home I use the 10.1.2.0 network again with the 255.255.255.0 subnet. I know this is a class C network that is in what is typically referred to as class A network space, but I have had no problems with it. I like it better than having to type in the default 192.168.1.0 addresses.

I have never used the dual WAN feature of this device, but through reading I believe that it can help to increase the speed of a connection. When the Wan1 connection is maxed out, it is supposed to start using the Wan2 side. I have never tested this though.

If you need help setting up the RV082, I’d be more than happy to help, though I think you’ll find the setup rather easy.

Hope this all isn’t too confusing. Be sure to let me know if you have any other questions or if you need me to clairify any of the above...

deeno

PS – So you know, there are cases where it would be beneficial to also use the rras features of the W2K server. For example, we have several offices that connect to our main office. Even though the remote offices can all see the main office, the remote offices cannot see each other. Generally the remote offices don’t need to see each other, but sometimes it would be useful. For instance, if I am at home and I need to connect to a remote office, it would be nice to be able to connect through the main office.

To make this possible, I am going to setup PPTP on our W2K server at the main office. Then, when I’m at home or at a remote office, once I have established an IPSec connection to our RV082, I’ll establish a PPTP connection to our W2K server at the office. Once I connect, I’ll be assigned an IP address that is physically part of the work network, and I should then be able to connect to all of the addresses (including those of remote offices) that I would typically be able to connect to as if I were at the main office.

That’s just a side note, and I don’t think it applies to your configuration. Hope that isn’t too confusing...

 

[sseaner]

Once again thanks for the info. Are you using the DHCP function of the routers or is your server handing out the addresses? I am also on the fence as to buy one more WRV54g and try it or just go with the two RV082?

Thanks

 

[deeno]

At the office we use a W2K server that functions as the DHCP server. Obviously that isn't the main function of that system, but I guess that is beside the point. Using that system as the DHCP server allows for much more flexibility than using our RV082 as the DHCP server. For instance, with the W2K server, it is possible to have a reservation inside the scope, which allows you to assign a specific (static) IP address to a device (based on MAC address) on the network. This is just one of a number of advantages.

As far as what to do, it's really your call. If you simply plan on connecting two offices together, the two WRV54G devices MAY work. I have never seen a connection established between two of them, nor have I tried it (I only have one of them), but I hear that it works. This solution wouldn't work for us at our office because we require non-WRV54G devices to connect as well. For instance, a traveling employee needs the ability to connect directly from a laptop. So, to sum it up, I guess your decision should be based on current needs, needs required to accomplish possible future tasks, and obviously budget.

If you end up going with the WRV54G idea, just be sure to secure the wireless side of things on both sides of the tunnel. I'd sure hate you to leave it unsecured and have someone find the signal and have access to the network devices on both sides of your VPN.

Good luck and please be sure to ask if you have any questions on any of this.

deeno

 

[sseaner]

OK...last question. Is your win2k server also giving out DHCP to the remote ofices or do they each have their own server. The reason I am asking this is because of the different ip address scheme you mentioned for each office. Just trying to plan my system and avoid the headaches. Thanks a million.

 

[deeno]

Each office needs its own DHCP server (if you plan on using DHCP). I don't really know anything about your network or its requirements, but I'm guessing that the built-in DHCP function of the Linksys products will probably meet your needs. I guess you can look at your network, and if there is already a W2K server (or whatever kind of server) at a location, use it as the DHCP server. If there is no server, use the Linksys.

Hope that helps. Be sure to ask if you have any questions...

deeno

 

[gacollier]

Deeno,

One quick question... Have you used the 2nd WAN port as a DMZ port? Though there isn't much mentioned on the product lit. for this, it seems that the device will allow for using the second WAN port as a DMZ port. I guess I'm curious to know if anyone has tried this with the RV082. (Another reason to not use the WRV54G?)

Thanks,

Greg

 

[deeno]

Greg,

To be honest, I have never used the DMZ option on this. The 2nd WAN port on my device is just empty.

I have read about this DMZ option in the product literature, though I have never had the need (or capability) for using this option. My cable Internet provider only gives out one Public IP address per cable modem, so, I don’t think there is any way I could use it in the way it is designed to be used. If you have a DSL line or something coming in with more than one (static) public IP address, you can probably take advantage of this. Again, I have never tried it and can’t verify that it works.

Another option that you have for this port is using it for your VPN connections. In your VPN setup, you would tell it to use the WAN 2 port for the VPN connections. That way you could separate the VPN traffic from the traffic generated by the WAN 1 side. As far as I can tell, the WAN 1 side would still take advantage of the WAN 2 side for speed/redundancy reasons.

Hope that helps...

deeno

 

[gacollier]

Deeno,

I'll be running one of the RV082's on the end of a dedicated T-1 with (7) public IP addresses. I plan on moving two (currently multi-homed) servers into the DMZ, an E-mail server, and a proxy server. I've never liked having these systems inside my network. At any rate, I'll let you know how things turn out.

Thanks again.

 

[sseaner]

If I connect the two offices VIA the RV082, and I am using DHCP VIA a win 2 k server in each office, do I need a different address scheme for each office? Both use the 192.168.1.1 scheme. Currently both old routers are .1, the servers are both .2 and the DHCP address pool starts at .20

Thanks

 

[sseaner]

Please disregard my last question as you already answered it. One concern I have is that I host a web site on my server so I use the port forwarding feature. It only allows forwarding to 192.168.1.* addresses. Can I leave my sever at 192.168.1.2 and use 10.1.1.0 for DHCP for the workstations?

Thanks again

 

[deeno]

If you change the subnet of the device from the default subnet of 192.168.1.X, then it will allow you to forward to whatever subnet you change too. For instance, say you change your router to be on address 10.1.1.254 in a 255.255.255.0 subnet (this is a class C network address in a class A network space but that's ok). You will no longer be able to forward to 192.168.1.X, instead you'll be able to forward to 10.1.1.X. Hope that answers your question...

 

[sseaner]

I have my two RV082. Both my offices have 192.186.1.1 schemes with the WIN2k servers in both offices set at 192.168.1.2. What is the easiest way to set up the VPN or can I leave them as is?

 

[deeno]

I would personally recommend changing the network address of the smallest office from 192.168.1.X to 192.168.2.X.

Once make this change, install your RV082 at each location. Once they are up and running, upgrade the firmware to the latest version (currently it is at version 1.0.11). This can be downloaded from the link below:

ftp://ftp.linksys.com/pub/network/RV082fw1011.zip

Then, after the latest firmware is going at each site, configure your VPN connection. This is actually very easy...

Login to the RV082
Click on the VPN tab
Click on the Add New Tunnel button
Under the Gateway to Gateway section, click Add Now

This will bring you to a screen where you actually make the settings for the VPN. I’m going to make the assumption that both locations are going to have a static IP address, and that you want both locations to allow the entire subnet to have access to the VPN connection. With those assumptions, below are how to configure the settings.

Tunnel No.
This is automatic and shows the tunnel number that you are configuring.

Tunnel Name
Enter the name of the tunnel for identification purposes. This does not actually matter in terms of making this connection work; it’s just there to help you identify it (if you have multiple tunnels configured).

Interface
If you only have a single WAN connection, select that connection. If they are both being used, select the WAN connection with the IP address that you plan on giving to the remote office for the connection.

Enable
Check the box to allow the connection to work.

Local Security Gateway Type
Choose IP only.

IP address
This is the IP address of the WAN interface that you selected above and is entered automatically.

Local Security Group Type
Choose Subnet (to allow the connection to be used by all the computers on the local subnet).

IP address
This is the local network address for the location of the RV082 that you are configuring. For one location, you will enter 192.168.1.0 and for the other you will enter 192.168.2.0.

Subnet Mask
Enter 255.255.255.0

Remote Security Gateway Type
Choose IP Only.

IP Address
Enter the IP Address from which the remote location will establish the VPN connection.

Remote Security Group Type
Choose Subnet (to allow the connection at the remote office to be accessed by all the computers on its subnet)

IP address
This is the network address for the remote RV082 that will connect. For one location, you will enter 192.168.1.0 and for the other you will enter 192.168.2.0 (and these values will be different than the ones you selected above in the corresponding Local Group Setup area).

Subnet Mask
Enter 255.255.255.0

Keying Mode
Choose IKE with Preshared Key

Phase1 DH Group
Choose Group1

Phase1 Encryption
Choose DES

Phase1 Authentication
Choose MD5

Phase1 SA Lift Time
Enter 28800

Perfect Forward Security
Check this in both locations

Phase2 DH Group
Group1

Phase2 Encryption
DES

Phase2 Authentication
MD5

Phase2 SA Life Time
Enter 3600

Preshared Key
Enter random characters and make sure they match in both locations (case sensitive)

Under Advanced Check:
Aggressive Mode
Keep-Alive

Click Save

This should get you going. I need to run, but post back with questions and I’ll be happy to answer!!

deeno

 

[gacollier]

Deeno,

Are you using Client to LAN VPN support on the RV082? If so, what VPN client are you using? Let me know as I need to set this up soon. Also, 3 offices setup for LAN to LAN to LAN and working well!

Greg