Site to site VPN question(s)

Answered Question
Apr 12th, 2007

I've searched everywhere for these answers and while some answers have come close I want to be 100% for sure.

Our business recently re-acquired a independently owned franchise (which is actually two offices about 300 miles apart). In doing this we want to link the two offices we acquired together, however a point to point t1 line at these locations is cost-prohibitive.

I don't have any directed questions about configs at this point...just verifying the answers to some questions before I purchase more hardware.

Site 1 will host Active Directory, File and Print services, WINS, DHCP, DNS, Email and the business system (SAP Business One). At this location resides 15 client PC's.

Site 2 is a small office with 3 PC's that will need to authenticate to the Active Directory domain at Site 1 and use the services (email and such) that reside at site 1.

Question 1. If we have DSL at both locations could we create a site to site VPN tunnel linking the two with Cisco 800 series routers over the DSL connection(we have one 837 now), with site 2 clients receiving DHCP, WINS, DNS, Active Directory Authentication, file sharing and Email from Site 1 across the tunnel?

Question 2: Could traveling users on laptops connect in from the road(hotels, home, etc.) with a vpn client loaded on their laptops to site 1 without interrupting the tunnel?

Question 3: Does Site 2 network need to be on a different internal (private) network? For example, site 1 192.168.76.0/24, site 2 192.168.55.0/24? Or can the VPN function with all hosts on the same network?

Question 4: If we have one 837 now does the second site have to have an 837 to make this easier or will any 800 series router work?

Question 5: Will these 800 series routers provide enough firewall that it will be secure -- will a DSL connection and the 800 series be enough at each location?

Question 6: Will Site 2's internet usage be proxied across the tunnel or will it use the local DSL connection only?

I may have more questions on Monday as I'm traveling there for a site survey.

Thanks in advance and any answer to any of these questions is appreciated.

Tyler

Correct Answer by Richard Burts about 9 years 10 months ago

Tyler

my answers to your questions are in line:

Question 1. If we have DSL at both locations could we create a site to site VPN tunnel linking the two with Cisco 800 series routers over the DSL connection(we have one 837 now), with site 2 clients receiving DHCP, WINS, DNS, Active Directory Authentication, file sharing and Email from Site 1 across the tunnel?

- if you have DSL at both locations you should be able to set up a site to site VPN tunnel which should allow clients at site 2 to receive these services from site 1. There might be a need for ip helper-address for services which are located via local broadcast and appropriate configuration of clients for remote servers (DNS, email, etc).

Question 2: Could traveling users on laptops connect in from the road(hotels, home, etc.) with a vpn client loaded on their laptops to site 1 without interrupting the tunnel?

- you should be able to support both a site to site tunnel and dynamic tunnels for client software at the same time and without interfering with each other.

Question 3: Does Site 2 network need to be on a different internal (private) network? For example, site 1 192.168.76.0/24, site 2 192.168.55.0/24? Or can the VPN function with all hosts on the same network?

- site 2 does need to be on a different subnet/network. Otherwise it gets ambiguous whether the destination is local or is via the tunnel.

Question 4: If we have one 837 now does the second site have to have an 837 to make this easier or will any 800 series router work?

- the other site should not need an 837. Any other 800 model should work.

Question 5: Will these 800 series routers provide enough firewall that it will be secure -- will a DSL connection and the 800 series be enough at each location?

- whether it is enough will depend on what your requirements are. If you need deep packet inspection then they will not, if you need really sophisticated firewall policies then they will not. But if your requirements are for filtering of unwanted protocols, allowing responses to outbound connections initiated from inside, and that kind of thing then they should be adequate.

Question 6: Will Site 2's internet usage be proxied across the tunnel or will it use the local DSL connection only?

- you have choices about this. It can work both ways, so you should be able to get it to do whatever you prefer. Biven what I think that I understand of the environment I do not see much convincing reason to have site 2 proxied accross the tunnel.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dbellaze Sat, 04/14/2007 - 21:15

Since your second site is so small I would try to leave things as simple as possible.

I would use the 837 in Site 1 and set it up to terminate VPN client connections and just have the Site 2 office PC's configured with the VPN client for access to company resources.

Here's a sample configuration doc for Site 1.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

Daniel

Correct Answer
Richard Burts Sun, 04/15/2007 - 17:59

Tyler

my answers to your questions are in line:

Question 1. If we have DSL at both locations could we create a site to site VPN tunnel linking the two with Cisco 800 series routers over the DSL connection(we have one 837 now), with site 2 clients receiving DHCP, WINS, DNS, Active Directory Authentication, file sharing and Email from Site 1 across the tunnel?

- if you have DSL at both locations you should be able to set up a site to site VPN tunnel which should allow clients at site 2 to receive these services from site 1. There might be a need for ip helper-address for services which are located via local broadcast and appropriate configuration of clients for remote servers (DNS, email, etc).

Question 2: Could traveling users on laptops connect in from the road(hotels, home, etc.) with a vpn client loaded on their laptops to site 1 without interrupting the tunnel?

- you should be able to support both a site to site tunnel and dynamic tunnels for client software at the same time and without interfering with each other.

Question 3: Does Site 2 network need to be on a different internal (private) network? For example, site 1 192.168.76.0/24, site 2 192.168.55.0/24? Or can the VPN function with all hosts on the same network?

- site 2 does need to be on a different subnet/network. Otherwise it gets ambiguous whether the destination is local or is via the tunnel.

Question 4: If we have one 837 now does the second site have to have an 837 to make this easier or will any 800 series router work?

- the other site should not need an 837. Any other 800 model should work.

Question 5: Will these 800 series routers provide enough firewall that it will be secure -- will a DSL connection and the 800 series be enough at each location?

- whether it is enough will depend on what your requirements are. If you need deep packet inspection then they will not, if you need really sophisticated firewall policies then they will not. But if your requirements are for filtering of unwanted protocols, allowing responses to outbound connections initiated from inside, and that kind of thing then they should be adequate.

Question 6: Will Site 2's internet usage be proxied across the tunnel or will it use the local DSL connection only?

- you have choices about this. It can work both ways, so you should be able to get it to do whatever you prefer. Biven what I think that I understand of the environment I do not see much convincing reason to have site 2 proxied accross the tunnel.

HTH

Rick

twebb@ditchwitch.com Sun, 04/15/2007 - 18:19

Rick,

Thanks a lot for the step by step response. I appreciate it a lot.

I think we're going to end up using the 837 as a spare and deploy 877's at each site.

Thanks again,

Tyler

hansee@efreeport.com Fri, 04/20/2007 - 08:18

Tyler,

You may want to consider a small domain controller server at your secondary site. Then, the DHCP, DNS and the AD authentication traffic will remain local to your secondary site network. In that way, your secondary site can remain somewhat functional in case the VPN over ADSL goes down...

Hans

Actions

This Discussion