VPN - Router-to-router or router-to-server?

5tephen · 20 Jan 2007 at 01:49

I want to link a site of a customer to their head office where they have Small Business Server 2003 installed. I have set the server to allow VPN connections, and a couple of laptops access this as a dial-up connection when the users are off-site.

If new hardware is required it's not a problem although it will be Drayteks at the most, no Cisco stuff. The head office has a Netgear DG834 giving Internet to the server - DHCP is disabled, it only does port forwarding. The remote office has a BT Business hub thing just provided by BT, does a lot of stuff but no VPN's from what I can see; all it has is public network bridging if this is any use? Would I need to change the BT device for a start?

The DG834 has VPN support. I'm considering changing it to a Draytek anyway, for stability. Is it better for the routers to talk to each other through their own VPN capabilities, or for one router to dial and have the head office router forwarding port 1723 to the server and let the server do the work?

Pint · 20 Jan 2007 at 13:44

Site to site VPN.

Preferably using two Sonicwalls, Checkpoints, Ciscos etc.
But Draytek let's you do it.
You can set a site to site policy to be dialled from either end using IKE.
Set each other as the default gateway for the VPN tunnel and make sure that the hashing algorithms, authentication etc. all match.
Won't be Monday til I'm back in the office where I can take a screen shot.

5tephen · 20 Jan 2007 at 14:54

Ok. I've taken a look through the Draytek's VPN/Remote access interface and I could go with that alright.
What about the existing VPN functionality I have set in Small Business Server (through Routing & Remote Access) - will this have to be disabled altogether?
For existing laptop VPN users, will they still be able to dial into the VPN as normal with their Windows domain username & password?

zetec452 · 20 Jan 2007 at 15:13

If you have remote users that are not at a set location you have a number of options.

A: Use the PPTP VPN as supplied with SBS 2003. Works ok.

B: Use a third party vpn application. The only ones I know of are a Cisco one and ZyXel ZyWall.

I would recommend a site to site connection for the two offices and then maybe use the small business VPN facility for remote users. They should both work together although I've never tried it.

Jon

5tephen · 20 Jan 2007 at 15:36

Thanks Jon, will give that a go.
I'm thinking of putting a Draytek into the head office and taking the DG834 that was there before, and putting it into the remote office. The DG834 does have VPN support, but has anybody had experience of its performance and stability?

oddjob62 · 20 Jan 2007 at 15:41

5tephen said:
Thanks Jon, will give that a go.
I'm thinking of putting a Draytek into the head office and taking the DG834 that was there before, and putting it into the remote office. The DG834 does have VPN support, but has anybody had experience of its performance and stability?

Not used the Netgears, but have set up loads of site to site VPNs with Vigors, mainly Vigor to Vigor or Vigor to Netscreen and they work very well from my experience.

zetec452 · 20 Jan 2007 at 18:04

oddjob62 said:
Not used the Netgears, but have set up loads of site to site VPNs with Vigors, mainly Vigor to Vigor or Vigor to Netscreen and they work very well from my experience.

I think Vigor's, Netscreens and the like are much better routers than Netgear brands.

Pint · 20 Jan 2007 at 18:48

What about the existing VPN functionality I have set in Small Business Server (through Routing & Remote Access) - will this have to be disabled altogether?

No, this just needs port 1723 TCP passed thorugh to the server.
IKE uses UDP ports 500 and 4500.

Remote workers can still dial in on PPTP ports in RRAS.

Jimathy · 20 Jan 2007 at 22:28

Two drayteks will do the job admirably. Just set them up to do site to site lpsec vpn, there's info on the Draytek site, and it won't mess with the SBS vpn.

I tried this with a DG834G and a V2800VG and suffered terrible packet loss. I set the Draytek to dial to the Netgear as that was the only reliable way of the connection being re-established after the time out. You might have better luck than me though so try it.

5tephen · 20 Jan 2007 at 23:37

Well I've bought 3 Drayteks (a 2900 and 2x2910's) today just to have because I know they'll be used. 4 of my customers have Drayteks installed and they're just devices you set up at the start and completely forget about them. Jimathy - I'll bear your advice in mind, I'm not expecting wonders but I'll give the Netgear a go for a short while anyway and see how it goes.

Pint said:
No, this just needs port 1723 TCP passed thorugh to the server.
IKE uses UDP ports 500 and 4500.

Remote workers can still dial in on PPTP ports in RRAS.

Thanks.
One more thing. How do people find the speed of VPN's on standard 2mbit ADSL lines with e.g. logging onto domains, Exchange traffic and basic file browsing, if the domain controller is on a remote site?

oddjob62 · 20 Jan 2007 at 23:40

5tephen said:
Thanks.
One more thing. How do people find the speed of VPN's on standard 2mbit ADSL lines with e.g. logging onto domains, Exchange traffic and basic file browsing, if the domain controller is on a remote site?

Main thing you have to remember is that the 2Meg means nothing. It's the UPLOAD speed that is the choke point. If this is going to be used by more than a couple of users at a time i would highly recommend upgrading the line (at least at the HQ site) to SDSL or better.

5tephen · 20 Jan 2007 at 23:56

oddjob62 said:
Main thing you have to remember is that the 2Meg means nothing. It's the UPLOAD speed that is the choke point. If this is going to be used by more than a couple of users at a time i would highly recommend upgrading the line (at least at the HQ site) to SDSL or better.

I know, and SDSL isn't available at the head office site

I registered interest with BT a month ago but I don't know what significance that will have to them. I was thinking of keeping them on separate connections and just using Outlook over HTTP and keep documents stored on local computers on remote sites if I found that the VPN wasn't coping. I'll give the VPN a go anyway and see how it works out; there's only one remote site for now but another will be set up in a couple of months time; there's 2 computers per remote office.

t!mo · 21 Jan 2007 at 03:50

Slightly off topic but has anyone got a Netgear DG834xx vpn working with non Netgear vpn client and if so how?

5tephen · 25 Jan 2007 at 15:33

Another note, now that I have a Draytek or two sitting around, what do you recommend for the actual DSL connection? The 2900 and 2910 models I have here do not have built-in DSL modems - do I have to have a similar-grade modem to withold the same quality of connection, if all it is doing is literally dialing to the web?

Pint · 25 Jan 2007 at 19:13

Zyxel prestige will do the job quite well.
can pick them up from reputable places for around the £40-50 quid mark.
£35 wholesale.
Mine's a 660H and is rock solid. It's what we generally supply to all of our clients for their offices.

Pint · 25 Jan 2007 at 19:21

Forgot to take screenshots of the 2900 lan to lan profile setup but it's generally a case of these settings:

Dial out and Dial in both enabled.

Make a long preshared secret.

USe IKE auth.

Remote gateway is the wan address of the other draytek.
Use main mode authentication.
If the IP is static for one site then you'll have to use Agressive mode, and set the static site as the dial in and the dynamic site as dial out.
Phase 2 should use 3DES with auth, ESP should be set to high.
Phase 1 should be group1 with MD5 (I don't think they support SHA1) and 3DES (Phase 1 found in advanced settings under neath where you put in the IKE key, can't remember if they can do AES, don't think so.)

Right down the bottom on the left hand side you specifiy the remote gateway again, the remote LAN range and your own lan range I think.

Diable RIP etc.
You also need to set the IKE pre shared key in the main pre shared key section under the VPN and remote managemnt menu as well as the LAN to LAN profile.
This is all off the top of my head, I'll try get a screen tomorrow.

tolien · 25 Jan 2007 at 20:22

If you can't get SDSL and want a high upload, Max Premium (up to 832kbps upstream) and/or bonding (upstream of a single line * number of lines, theoretically limitless) might be worth some consideration.

5tephen · 26 Jan 2007 at 00:29

I think they will get by on ADSL, it's just that I'm wondering how so many companies out there are able to work with such low-speed connections. How do they cater for it? I have been talking to a couple of people who work in companies that have leased lines sitting at 128k both ways and pay hundreds of pounds/euros a month for the priviledge. And there's at least 20 - 30 computers on either end. What use is 128k between even 1 or 2 computers, never mind that amount?

Also, Pint - because I'm using a separate ADSL modem, is my service:
a) improved because there's 2 devices splitting the workload
b) reduced because there's a lower grade device actually dialing to the Net? Zyxels are good and I use them, but just how much work would it be doing with say 30 or 40 computers communicating over it?
And thanks so far for all your advice.