Name: Henri Debono Date: September 5, 2007 at 01:55:44 Pacific Subject: Dual VPN Link OS: SBS/CentOS CPU/Ram: 2GB Model/Manufacturer: Dell
Comment:
Set-up is currently as follows. Main Office, has a SBS server and Asterisk Server. Head Office users make use of a domain controller.
There are 4 branch offices, each having between 2-7 PC’s and 1-5 IP phones. Presently, branch PC’s log on locally on their PC. They have full internet access, and cannot access the SBS server at head office. IP Phone traffic passes over the internet (SIP).
I would like to set up a VPN between the branches, as leased lines are too expensive! Originally I had set each PC at the branches to establish its own VPN connection, however, this is not a reliable solution, and the IP phones were not on the VPN
I would like to set up something similar to http://www.pavilion.com.mt/j2.jpg , Were each branch would have 2 VPN connections. One to SBS (for PC’s) and the other to Asterisk (VOIP).
The branches will also make use to the ADSL connection at head office (to set internet rules)
Cost is important, as our budget is very tight. Any ideas on what equipment to use, or maybe an alternate approach? Thanks
In the most basic of terms, you need two things for VPN: a server and a client (of course). Windows Servers have a VPN server built in, but I'm not sure if that includes SBS. Try looking for it. If you don't find the server, look into something like OpenVPN. Setup'll be a pain, and I've never had the need nor desire to configure one myself, so you're on your own.
The clients are bit trickier. What you want is a router with VPN capability. Ideally one that'll force said VPN connection. I've seen a few corporate level firewalls/routers/kitchen sinks that'll do that, but they're out of your price range. Quick Google searches aren't turning anything up for me, but I know the major consumer router manufacturers have some sort of VPN model. I'm not sure if they'll allow you to have more than 3 to 5 connections though the VPN, but it's something to look for.
You may want to look into VPN devices. There are many different types of devices available on the market from different manufacturers. I would look around, find one with the features I like in a price range that fits the budget and purchase one for each site. If you have the budget, and get the right equipment, you could set up VPN tunnels between all the sites (ie: remote site to main and other remote sites as well) and not just one-to-one connections (ie: remote site to main)
Once established, a VPN tunnel (encrypted) between sites would allow for the transfer of both types of network traffic (ie: VoIP and data). Therefore you wouldn't need dual VPN's, a single VPN would do the trick.
I would definately consider using QoS on the VoIP traffic (it should have the highest priority). Hopefully your switches are capable of QoS. If they're a Layer 3 enterprise level managed switch, you could use a single switch for both types of traffic using VLAN tagging. Then your VLAN's could span all sites making network management/maintenance a lot simpler.
To be honest, I don't think much of SOHO level routers for creating an encrypted VPN tunnel. I was talking about a VPN device like a Cisco PIX. This is a VPN device that does nothing else but VPN tunnelling.
There are SOHO routers available that can use two separate connections. I don't know any brand names/models offhand so you'll have to do the research on that yourself.
Henri you need to understand that you won't have one vpn at the home office. You will have 4, one for each incoming office, but it will only use one dsl connection. You would need a vpn device for the phone system dsl link. It also would have 4 vpns, one for each site. Then you need a vpn device at each remote site.
These devices would not need to be VoIP compatable or have QoS features. This is because you will be setting up each remote site with two vpns. One for the phones and one for the data. You would want to create vlans for just the voice system and just the phone system.
Just to be clear this means you need 6 vpn firewall/routers. Two of which have to support 4 or more vpns. Four have to support at least 2 vpns.
For business grade you would be looking at about $1200 per [cisco pix with maintenance] which would be $7200 or soho grade for around $2-300 a device for a total of $1800.
This device supports up to 5 device to device vpn gateways. It also supports vlans and it's gigabit lan.
I'm just wondering why you would want to go with a separate VPN for the VoIP?
Unless I'm mistaken, the VPN devices just establish an encrypted tunnel and pass all data through. At least, the ones I've worked with worked that way.
These devices would not need to be VoIP compatable or have QoS features.
Right you are, your QoS is done before going into the outbound VPN device (in our case, a Packeteer PacketShaper) and again after leaving the inbound VPN device at the other end. As I said above, unless I'm mistaken, the VPN devices just create the tunnel and pass along whatever data is sent to them.
As far as the actual traffic itself goes, packets are packets and whether data or VoIP, there's no real difference from the perspective of the VPN device.
Our VoIP runs on all the same switches as our data. Well, with one little difference I guess, we use Nortel Baystack 5520's for the VoIP because they provide PoE. Whereas the 5510's aren't PoE capable. But, most of our VoIP switches also have PC's and printers plugged into them...although those are on a different VLAN of course.
I am just following Henri's setup. He has two connections at the main office. I would be concerned that moving both data and voice to one connection would impact the performance of both. Additionally it creates a single point of failure. There would also be additional expense of a router with dual wan ports if he wanted to go that way.
Imagine the power if you knew how to internet search
I was thinking along the lines of the dual wan port router. Having never bought one (or even priced one out), I have no idea what they're worth.
If you have QoS capable switches, or a QoS device, you can easily arrange it so that the VoIP traffic isn't impacted by your traffic. However, I'm betting it will be impacted by the internet. We have a satellite office with two PC's and two VoIP phones running on an ADSL connection and have endless problems with the VoIP there. It's a provider issue.......likely they've oversubscribed the segment as so very many of them do in order to turn a few extra bucks......
No question about the single point of failure. But if you don't set it up so each side could failover to the other, should you lose one connection, you lose that data. Depending on what you have for equipment, you could setup and automatic failover so if say the VoIP connection dies, your VoIP automatically goes over to the other side. Something tells me this would take more than they have or can afford to buy though.
Anyhow, it would have been nice to know what they have for switches and whether or not they have a QoS device in their network before answering.
We have 2 internet connection at head office, because the one connected to SBS, hosts our mail and web server, and it couldn't handle VOIP too, as we tried it. With regards to the dual WAN router, do we really need it as both SBS and Asterisk are not connected in any way (except through the internet).
With regards to switches, we have standard rackmount D-Link switches, which have no QoS. Also, our modems are Thomson speedtouch. I don't know the exact model numbers, but were provided by our ISP, and I believe are classified as Home/SOHO modems.
Seems like the cisco PIX it the best option, but way beyond what we can afford.
I've done some research and found some open source software like monowall, ipcop, and smoothwall. Do any of you have any experience with whether such software is capable of doing the job?
BTW, forgot to mention that our internet connections are 4096/512k
The information on Computing.Net is the opinions of its users. Such
opinions may not be accurate and they are to be used at your own risk.
Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE
