Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site VPN - where to start?

Status
Not open for further replies.
Fox1977

Fox1977

IS-IT--Management
Dec 6, 2001
98
GB
hi all,

Just wanted to get some ideas and expertise from everyone as I'm new to VPNs and got a big project to work on.

Our company has just acquired an office at the other end of the country and I have the job of connecting the two office networks together.

I have spent the last few weeks getting a remote access VPN up and running for teleworkers using microsoft RAS. Now i need to look into getting a site to site VPN setup and just wanted to share my ideas.

the plan i was looking at was having each network (complete with DNS, DHCP and windows domain controller) on a different network address. Use a draytek router in one office to connect to a sonic wall router in the other office (running on a different network address). I'm just in the starting out on a CCNA course so this is a good grounding!

I'm just a bit unsure about how I go about setting them up in practice. I am not too worried about getting the two different domains sorted yet I'd be happy just to get them connected first. Were would people recommend starting?

Anyone any tips or ideas based on their own experiences?
 
Sort by date Sort by votes
My first suggestion would be, if you can, use the same brand of equipment in both offices - maybe stick with Sonicwall. You won't ever have to worry about VPN settings if you do that, apart from making sure each side is using the same settings. You will also be able to use Sonicwall's IPSec client for all you remote users, regardless of which office they want to connect to.

Site-to-site VPNs are not that tough. Define your internal subnets, pick your encryption/authentication method, adjust other settings (PFS, key lifetimes) to suit your taste and you should be fine. If you are just using pre-shared keys as the shared secret then you don't even have to mess around with certificates, unless you want extra security, but you can always implement that later once you are more comfortable with VPNs. As far as choosing encryption, the better it is the worse the performance. 3DES-MD5 is probably the bare minimum. It really depends on how much traffic you expect and how important security is. 3DES has known weaknesses but AES 256-bit and SHA2 are hardware-intensive and may not even be supported by what you have.

Trial and error is how I learned - and I still have a LOT to learn about VPNs, but while it was intimidating before with the whole alphabet soup like IKE, ESP, DH1, AH, etc. etc., it's not so bad. Don't get caught up in all the minor details - get your settings to match up and get that first tunnel up and running so you can get that "Eureka!" moment and then experiment/test from there. Google is your friend.

Hope that helps.
 
Upvote 0 Downvote
uumm, although having two devices the same limits campatablity issuess and provides one interface for you to learn.

I do like the draytek's for small remote offices/ home users

becuase

the include adsl - just one box

easy to talk a user through fixing a problem, if you cannot connect to it because they are so simple - no need for an IT person at each site

the 2800gi - has a isdn backup - so vpn reducany

include wireless and dhcp

But

they are really only good for a single VPN tunnel

and rules must be set on your other device

I would give it ago before buying a new firewall witch maybe diffcult to support remotely

----

how many users do you have at each site? really depands on the answer


 
Upvote 0 Downvote
here are the instructions:

LAN to LAN Vigor Router to SonicWall Firewall with IPSec tunnel



Also i have just started my ccna, and i don't think it will cover VPN's in the detail you might like:

I went on a specific watchagurd firewall course a year ago prehaps a sonic course would be more indiate help
 
Upvote 0 Downvote
I have had a look at the draytek guide.

What do i do for the IKE Key when using IP Sec. Do i just choose a phrase and use this at either end or do i have to generate the key somehow?
 
Upvote 0 Downvote
Just use any string of letters/numbers/symbols. The longer and more random, the better. Use the same string on both sides.

Those all-in-one devices are good for small offices but they are really putting all your eggs in one basket. If it conks out and you are relying on it for VPN as well as WiFi, DHCP, etc. then you are in trouble.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
397
sircles
sircles
teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
600
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
441
GlobeTrekkerGal
GlobeTrekkerGal
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
351
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top