Setting up site to site VPNs

I have a corporate network that we'll add VPNs to:

The present configuration looks like this:

Internet | DSL Modem | Linksys BEFSR41 NAT Remote site | | WinProxy Computer Dedicated Line (Internet Gateway) | | | Router / LAN Gateway-----------+ | LAN | Clients

A new configuration to implement a site-to-site VPN might like this:

Internet | DSL Modem | Linksys BEFSR41 or ??? NAT Remote site | | | | +----------------+ | | | | WinProxy Computer VPN Router Dedicated Line (Internet Gateway) | | | | | Router / LAN Gateway-------+------------------+ | LAN | Clients

Another configuration might look like this:

Please view in a fixed-width font such as Courier.

Internet | DSL Modem | Linksys BEFSR41 or ??? NAT Remote site | | | | +----------------+ ------------+ | | | | | WinProxy Computer VPN1 Router VPN2 Router Dedicated Line (Internet Gateway) | | | | | | | Router / LAN Gateway-------+-------------+--------------+ | LAN | Clients

The clients have software installed that interface with one of the VPNs.

The Router / LAN Gateway directs traffic from the clients to the Internet Gateway for most things, to VPN1 or VPN2 routers depending on the application.

It appears that the Linksys BEFSR41 isn't going to support even one VPN passthrough. (It's there for a reason) So, I'm trying to find a similar device that will handle both one or two separate VPN applications. I believe the correct term is "VPN passthrough".

I'm reading what I can find to understand what to buy to replace the BEFSR41. The Linksys website says: The BEFVP41 allows upto 70 IPSec tunnels, but still only supports one IPSec connection at a time Another option suggested is BEVP41.

I'm not sure if I'm up against a fundamental limitation of how things work or just unsure of which replacement device would be appropriate. I get the impression that I *don't* want the Linksys or front end NAT device to do anything with the VPNs - just let them work. Is that what's referred to as "passthrough"? I also get the impression that a "tunnel" in the Linksys would be another thing and not what I want.

So, it appears my issue is: Can I implement more than one VPN through the NAT device at the same time? If not, what other options might there be (with a bias to keeping a NAT device at that location in the network topology).

Maybe some suggestions and pointers?



Reply to
Fred Marshall
Loading thread data ...

In other words:

Can one run two VPNs through a Linksys router? Which one? Any other simple router model of any manufacture?



Reply to
Fred Marshall


Yes RV series Too many to mention.

Have you even bothered to look at the Linksys website? If it says VPN endpoint then you can bet the device is limited to 1 or 2 simultaneous VPN connections. If it says VPN router then it's likely 50 simultaneous VPN connections. I would never suggest using any of these routers if you have anywhere close to 50 simultaneous connections running. But for connecting a handful of sites it should work. Perhaps if you had 50 home office users that only access the VPN connection occasionally it might work but I imagine even doing key renegotiations for 50 unused tunnels might stress out a Linksys router.

If you need to connect sites and you consider this link important then you should get a consultant who has experience in this area. Your diagrams seem to indicate that you don't quite "get it".

Reply to
Mike Drechsler - SPAM PROTECTE


Thanks for the reply. You're right, I don't quite get it. So, I'm learning. And, oh yes, I've looked at the Linksys website quite a bit. My problem is mostly with the lingo which I'm picking up. It's more difficult because there seem to be so many VPN schemes.

I'm focusing on Linksys because I work with them often enough at the low end, it's what's installed and it's what one of our local ISPs uses. We've discussed the RV series.

Maybe you could clear up a nagging question for me:

I see reference to "tunnel" and I see reference to "passthrough" and I see reference to "end point". I have a pretty good idea what an end point is. But, I don't understand the difference between tunnel and passthrough.

My problem with what I find on the Linksys website is that it seems to talk about the devices as VPN end points but not so much about passthrough. For example, I can find that there are some of their products that will support only one VPN passthrough at a time but no mention, except by implication, of products that will support more than one VPN passthrough at a time. Oh yes, they talk about more than one end point being implemented but not clearly more than one passthrough. So, it's not a dumb question.

One of my problems is that I don't maintain a "lab" where I can buy a bunch of stuff and try it out. I have to be conservative in selecting devices because I want them to work when I put them in the network. But, I may have to just buy one or two of the RV devices for learning.

The architecture I had in mind when I wrote the original post was to continue using a NAT device at the front end and to have VPN end points and the LAN Internet firewall inside of that device.

Yes, one can ask "why?". It's because there was a desire/need in the original architecture to have a cascaded NAT firewall arrangement. It's what was implemented and I'd hoped to keep the configuration unless it's more trouble than it's worth. And, presumably it would limit the number of static public IP addresses we'd need.

My hope that the VPN operations would be transparent to the NAT device (or vice versa) - but I have some doubts. I guess an RV at the front end would handle this configuration in a routing table - which isn't transparent but would be just fine.


Reply to
Fred Marshall

Passthrough means that the router has absolutely no VPN capability built in. It simply will allow someone inside the network to use VPN software without blocking the connection. "The connection passes through the router". This also assumes that the VPN endpoint you are connecting to supports the address translation that is applied when it passes through the NAT router so it's no guarantee that a link could be established. The reason that it usually only supports a single connection to pass through is that if you had 2 internal computers trying to connect to the same VPN server it wouldn't be able to tell which computer to send the inbound traffic since IPSec traffic (the VPN protocol most people use) is not transmitted using ports like TCPIP so it cannot look at the port numbers to determine which computer the packet is intended for.

Tunnel is basically another word for connection.

Endpoint is a device actually participating in creating the connection or tunnel. In this case the device supports the VPN protocol and is an active participant in the connection.

There is not going to be much difference between the linksys router that only functions as an endpoint and the one that functions as a router except for capacity. The endpoint device simply doesn't have software to support more connections and it likely is also too slow to support more than the 1 connection it supports. The other devices may have special chips to speed up the encryption so that they can support more simultaneous tunnels. Encrypting the data can be very intensive on the processor.

Most VPN implementations will require a static IP on your VPN gateway. The IP address becomes part of the identity of the device when building the connection. You can think of the IP address as part of the username if you will when the devices connect with each other. If you create a static IP main mode VPN connection (A technical VPN term) then the two endpoints will reject inbound connection attempts from IP's it does not recognize. At the very least you will need to forward the ports the VPN needs anyhow so you aren't actually more secure with NAT in front of the VPN endpoint since the traffic it's listening for just gets forwarded anyhow. Unless there is some hidden port the VPN router is listening on this really will not improve the security of your VPN device. Because you would need to use an aggressive mode connection to support the NAT you would actually be lowering the security of a site to site link (although the reduction is fairly trivial)

The RV device would go directly to the modem, you would dump the old device completely from the picture. The VPN gateway would be your NAT as well as a VPN box. You can connect a VPN in parallel to an existing firewall, but in your case the firewall it's replacing doesn't give any exceptional benefit so there's not much point in running in parallel like that.

If you need to gain experience you could probably find some cheap gear on ebay or setup a software router on an old PC with a few spare network cards and a Linux or BSD router distribution. For low end I have been recommending Netopia 3386-ENT routers. They can be bought cheap and they expose you to a pretty good set of features for the price. They may be cheap enough for you acquire for the sole purpose of testing.

Reply to
Mike Drechsler - SPAM PROTECTE Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.