Do a Google search in this group for the many posts from Mike Drechsler. I have taken his advice used the Netopia 3386-ENT routers (around $105 each) in a setup very similar to yours, but with 3 sites and a handful of remote connections. The configurations are not for the faint of heart, as they are all text-menu driven. I had quite a few setup issues, but the were mostly due to my inexperience. Their web site has a lot of good technotes, and Mike has been a great help. After a couple of weeks of playing with them, the settings become fairly straightforward and instinctual. I'm about to go live with remote access to my custom app via Terminal Services, and the 3 sites appear to have stable meshed IKE/IPSEC-secure VPN tunnels over ADSL (384k/1.5Mb) as of today. No VPN clients required at the sites, only the built-in XP VPN configs(PPTP+MPPE) for the remote users.
I'm only passing the RDP protocol through the site-to-site VPN tunnels though, so your app's performance may vary depending upon the client-server communication requirements.
I have a diagram at a link that'll last for 7 days showing what I'm trying to do.
I want a low-end Split-tunneling site-to-site VPN router. At least I think I do. My goal is to avoid needing any VPN software on the PC's of either site. However, if folks use PC's or laptops from remote locations, they will need some type of VPN client -- hopefully something built into XP.
I currently have one network card in each computer. I can install another if it'll help. There's one internet (cable, static IP) connection at each location.
If I'm at a machine on the right side, I should be able to access the server over the intranet. All right-site WAN traffic should be unencrypted traffic going out over the internet. There should be no pressing need to directly access a PC at left-site.
If I'm at a machine on the left side, I should be able to access the server over a secured VPN connection via the internet. All other traffic (web browsing, e-mail retrieval, etc.) should go out unencrypted over the internet.
I'm aware of the potential security issues with split tunneling, but I need to do it. The server essentially is a closed unix/linux system I have no access to and know nothing about. The people who have installed it dropped off the face of the earth, but it runs. It is not a FTP/WEB/etc server. It just has a custom application running on it. Folks log in and run the app.
I'm aware there's a contingent out there that'll recommend getting a linux box of some sort combined with some sort of proxy. I haven't done that before and money/time are a consideration. I promise to look into that as a longer term solution if that's the recommendation, but I need to get this up and running.
My fallback option at the moment is to leave the system totally open and drop VPN, which is a pretty horrible option.
I know there are routers that will do what I want, but I've been searching the internet and nothing mentions it by name. I can't go about buying all the VPN routers on the market and testing them to see if they'll do what I need. I also thought if I got two cable internet connections at left-site, I could put two network cards in the PC's there and use one connection for VPN and a non-VPN wireless router for communication with the wild.
I just realized I never said thank you. Thank you. :) I ended up asking them to find someone else to do it as I didn't feel confident enough that my suggestion would work. They didn't have 3 weeks to get set up.
I am unsure of what you mean by "split tunneling". In your diagram you show two locations (left -L and right -R), this could be 10 locations, it wouldn't matter but I'll stick to L & R.
When you set up the BEFVP41's you need to do 3 things:
Be sure to upgrade the BEFVP41's software to 1.01.04. Even new one's straight out of the box may have old software rev's in them, so be sure that you update to the latest version and at least 1.01.04.
Set up a domain name for the routers. If one or both of the sites are using dynamic dns then you can easily set up a DDNS with DynDNS
Set the broadband modem to bridge mode and the BEFVP41 to automatically update DynDNS (30 sec works well).
Set up the BEFVP41 VPN tunnels to each location. Let's assume that Left PC's are 192.168.2.100-105 and the Right are
192.168.6.100-105 + 192.168.6.106 for the server.
For BEFVP41-L: You set the Local Secure Group (subnet, IP address, or IP range); IP Range 192.168.2.100 - 192.168.2.105. This will allow all PC's with those IP's access to the encrypted VPN tunnel.
Next you set up the Remote Secure Group (still in BEFVP41-L), where you want to go. You can set it up the same as Local Secure Group (subnet, address, range) and in this case if you only wish PC's L to access the server you'd enter IP Addr 192.168.6.106.
Next you set the Remote Secure Gateway. YOu can set by FQDN, IP Address, Any. In this case you've assigned a DDNS to the BEFVP41-R, so set FQDN and the DDNS of BEFVP41-R (example floss-r.dynalias.com).
Next you set the encryption type and key management.
For BEFVP41-R you reverse the process & enter the DDNS of BEFVP41-L (example floss-l.dynalias.com).
In BEFVP41-L, click the Connect button and the VPN tunnel will be built between the two locations. All PC-L's can now access the server via the encrypted VPN tunnel by it's IP address 192.168.6.106 (or domain name if you've given it one). The VPN tunnel will stay up 24x7 unless you lose power.
If you are running Win2K or WinXP-P in PC-L's it's wise to set up Terminal Services at PC-L for the server application, otherwise you will be transfering huge amounts of data back and forth across a relatively slow DSL line and the users *will* experience lengthy delays.
PC-L & PC-R can still access the internet as normal. Be aware that because PC-L and PC-R do have access to the internet that they can be hacked, get viruses, etc., just like any other PC, so be sure to set the firewall in the BEFVP41's to *on* and add any other protective measures.
The above may sound a little complicated, but it's not really. There are a few settings that I've left out, but those are the basics.
I've set up multiple store locations using the same/similar setup (all using dynamic DNS DSL), and once set up properly I seldom have any problems at all. I do run full virus & spyware scans once daily on all the systems, have added extra software firewalls on the PC's & other protective measures, etc. Early on the only problem that I had was a user in one store liked to surf the internet a little too freely and kept picking up spyware & other nasty stuff. A few clicks in the router & firewall settings fixed that though :-).
I forgot to add that you can set up multiple VPN tunnels within those same routers; VPN's to another location, VPN's for certain PC's to access certain applications/servers, or another set of PC's on the other side, etc. You are not restricted to only 1 VPN tunnel in the BEFVP41's. I forget what the actual number is, but it's rather large (check the Linksys site) and should be more than sufficient for your purposes.
The server is actually a Unix/Linux (not sure which) server and the application is text based. It is accessed via basically terminal emulation on the PC's. Thus, I don't expect the amount of data transmitted back and forth to be exorbitant.
This was the key requirement. Being able to access the Internet at large and also a VPN over the same physical Internet connection is called split tunneling. I had no idea LinkSys's low end routers could be configured to support this.