1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN Tunnel Questions

Discussion in 'Networks' started by LukeP, Jun 21, 2009.

  1. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    The company I work for has 4 different office locations. At the moment interconnectivity is by using static ip's and over the internet. Every office has it's own domain and a server. I have found that company who was looking after IT infrastructure is so unprofessional that I might have to deal with everything myself. However I've found 4 packaged VPN capable NetGear firewalls which I would like to utilise at some point.

    Now, my question is:
    If everything works without VPN using internet and static IP's, will it continue to work next to VPN tunnel when I create one. Will I be able to set up a tunnel and than move some of the connectivity to use the tunnel partially, while keeping everything usable in the meantime?
     
    WIP: Uhmm... not sure
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Maybe, Ive had problems with this kinda setup before. Basically because the endpoint of your VPN is going to be the published IP that is currently being used to push traffic over the internet this can throw up some issues.

    Do you have one static IP per site? If you have a range you could create the VPN tunnels with a different IP.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    I have one IP per site. So basically if for now I'll get 2 extra IP addresses for 2 sites and create a tunnel the rest should work as normal and allow me to partially move the whole traffic to the VPN channel? It is still long way ahead as the company who deployed the network in all the branches decided it's a good idea to use the same subnet and same ip range for the networks.
     
    WIP: Uhmm... not sure
  4. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    It depends on the ISP, they may give you a routeable range of IP addresses and you keep the static IP you already have. Can you reconfigure what you already have in place to use a new published IP address if needed?

    You are going to have to change the LAN subnets before you think about putting VPNs in if you want a smooth migration.

    In most cases when creating a VPN tunnel you will need to specify an endpoint (published IP) and then the remote LAN subnet and if thats the same as the LAN subnet in the main site then the traffic will not be able to route. You can get around this by putting a second IP address on the servers and giving the Netgear two IP addresses (if it supports it). You may still have problems though so perhaps include changing the LAN subnets first as part of your migration strategy.

    Ive been in your situation before. Basically the company who put the network had the same "site build" which meant each site had its own domain, same subnet and same server names. I ended up reconfiguring the whole thing as one domain and connecting all the sites together. It was a big migration but worth the hassle in te long run.

    HTH mate. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  5. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Yeah I will make all the remote networks VPN ready before joining them to our main network. I have some servers that can be and should be moved to head office first. That should make the subnet change easier on remote networks. When they're ready I'd like to start moving them to VPN channel as trusted domains and when that's done start merging the domains. I would like to keep current remote access solution active until all branches are connected via VPN. I'm using BT as ISP.

    I want to implement VPN on Firewall level as I have the hardware. Can ADSL router act as a gateway for VPN tunnel and Internet Gateway for local network at the same time?

    Thanks for your help Sparky
     
    WIP: Uhmm... not sure
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    It depends on the device to be honest. Do you know what hardware you are going to be using?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    At the moment I have 2 units of NetGear FVS318 linky. Routers are those provided by BT Netgear DG834G linky.
     
    WIP: Uhmm... not sure
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Looks like you will need a new router mate.

    If you only have one IP address then you will need to bridge the connection from the router onto the WAN interface of the firewall. I dont think the router you have listed supports that.

    This does...

    http://www.billion.uk.com/product/adsl/5200s.htm

    Ignore 99.9% of the spec, it will bridge the connection nicely and you can then concentrate on the firewall setup after that.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    By the time I'll sort the network out I am sure I'll be able to get a decent router. However, looking at the specs I am wondering if it isn't what I am after:

     
    WIP: Uhmm... not sure
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    To be honest I would use those firewalls at your branch offices and get something better for HQ.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  11. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Thanks for your help Sparky.
    Seems like I can't avoid working over the weekend then :dry
     
    WIP: Uhmm... not sure
  12. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,189
    296
    319
    Thats network migrations for ya! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  13. cpickering

    cpickering Bit Poster

    12
    0
    4
    You would be better having something better at your HQ.. I presume (didn't read all the thread - oops) your HQ is essentially the main connection point with your other offices being leafs on your VPN connection, if so, use the small routers at the leafs, and deploy a dedicated VPN server at the HQ..

    I've used:

    NetGear SSG 20's for leafs in the past and Astaro ASG servers 110s for leafs and 220's/320's for HQs..

    Both dead easy to setup..

    On a side note, I should really read threads more, but I'm job surfing at the moment :(
     

Share This Page

Loading...