Whats needed for site to site VPN?

[purge11]

Hello,

I want to create a site to site using windows 2008 DC at both sites. Mainly for active directory replication.
I have a CISCO SRP527W model which has some options for VPN. My question is can the router act as the VPN server or do I have to configure a windows server to do all the VPN configure?

On the CISCO router it has all the options of VPN passthrough enabled. These being PPTP, IPSEC and L2TP enabled. Although no site to site IPSEC policies are defined as yet.

So if creating a windows 2008 DC at the other site, do I need to configure VPN on the server or just the cisco router alone?

As far as I know, these are the steps.

1. Set RRAS server
2. set up VPN policies on both routers
3. Set up primary DC at HQ
4. Set up and additional DC at HQ
5. Move Additional DC to brance site
6. Ping primary DC over VPN
7. Change IP address of secondary DC and wait for replication

Thanks

[SYNACK]

Sounds about right, if you have cisco routers on both ends you may be able to setup the tunnel with those which could end up being a more robust solution as the tunnel will be active during server reboots etc which could otherwise cause issues unless you had dedicated server boxes to keep the vpn open the whole time.

Configuration Professional: Site-to-Site IPsec VPN Between Two IOS Routers Configuration Example* [Cisco Configuration Professional] - Cisco Systems
Cisco IOS VPN Configuration Guide - Site-to-Site and Extranet VPN Business Scenarios* [Cisco 7200 Series Routers] - Cisco Systems

[purge11]

Great.

I do not have a cisco router at the other site, that router is a netgear, but again it allows for VPN setup. Before I go around adding the DC. Whats the best way to check VPN is working correctly after implementing it on the CISCO router, before adding DC site to site?

Thanks again.

[twin--turbo]

Great.

I do not have a cisco router at the other site, that router is a netgear, but again it allows for VPN setup. Before I go around adding the DC. Whats the best way to check VPN is working correctly after implementing it on the CISCO router, before adding DC site to site?

Thanks again.

I would definitely set it up on the routing hardware as a s2s as mentioned. Then just test pings from one network to the other. Remember subnets must be different at each site or you have to start doing horrid things with NAT.

Rob

[glennda]

You should be able to setup a vpn between the two devices even if they are different. You just need to setup the policies!

[SYNACK]

You should be able to setup a vpn between the two devices even if they are different. You just need to setup the policies!

Depends on how advanced the hardware is at each end, Cisco IOS should be able to act as a server assuming it has the right features enabled, it will depend on the featureset of the other router as to if it can act as a VPN client, without advanced features though it would pipe all traffic through the cisco unit which could have nasty contention implications.

[purge11]

Well these are the two routers

Netgear N300 Wireless ADSL2 modem router Model: DGN2200.

netgear.jpg

At the branch site - CISCO SRP527W model

cisco.jpg

None of them have policies defined, but as far as I know. I do not need any other VPN equipment? Just define the policies? If so how do I go about defining the policies and then testing them? I guess CISCO would be the easiest to set up IPSEC policy.

Thanks

[Adam2737]

I recommend you get a couple firewalls to handle your VPN connections. We use Fortigate and Sonicwall to VPN over 15 branches. Both have an easy to use web interface, HA, virus protection, etc.

[purge11]

Ah, so those would replace the current routers? or just seperate devices mainly for VPN? A bit limited on budget, but might consider.

Thanks

[glennda]

I don't think you are going to be able to do it with those routers. Normally when I setup VPN's I setup from the firewall rather then the router. I've had mixed experience with the fortinets but have been using Watchguard devices recently which will do what you want. Probably I would say the XTM 2 series or XTM 3 series will do what you are after.

[purge11]

Hmm,

So many devices to choose from. Ok. So I need to purchase 2 XTMs to set up VPN and act as firewall and the routers just stick to connecting internet?

Thanks all

[glennda]

Hmm,

So many devices to choose from. Ok. So I need to purchase 2 XTMs to set up VPN and act as firewall and the routers just stick to connecting internet?

Thanks all

I would setup the router to pass through to the Firewall and let the firewall sort all the outbound traffic on the network rather then the router. i.e network - firewall - router - internet.

[cpjitservices]

We use Pfsense for s2s VPN, it has built in VPN and Firewall capabilities, does everything we want it to do and it's free, we also have another site which has a DC, SAN, Router, Switch etc etc all part of this network but tunnelled through the VPN, our SAN's even replicate with each other over the VPN so no matter what site our clients/staff go to everything they want is on hand. If a Server goes down everything can still be accessed also. I think it's L2TP we are using site to site.

[purge11]

Sounds good,

I was about to mention that the XTM 33 is around £700 or so, its just too expensive. Even my routers cost around £50, so need a cheaper alternative to VPN solution, which is not too difficult to set up.

[SYNACK]

A couple of these: Applianceshop.eu OPNsense - pfSense desktop & wallmountable appliance - OPNsense - pfsense - Firewalls - Open source for your Business!