Router to Router VPN

[Sparda]

This seems like the most apt form to ask so I will.

I have a router that supports VPN farwarding (It farwards all encypted trafic to a specific IP address). Google searching for "Router VPN" will display routers that do what mine do. What I'm looking for is a hardware managed VPN connection, so, although the connection is encypted, it's compleatly transparent to the computers on my network. Any one got any surgestions?

[Uncle Toxie]

This seems like the most apt form to ask so I will.

I have a router that supports VPN farwarding (It farwards all encypted trafic to a specific IP address). Google searching for "Router VPN" will display routers that do what mine do. What I'm looking for is a hardware managed VPN connection, so, although the connection is encypted, it's compleatly transparent to the computers on my network. Any one got any surgestions?

What is it that your trying to set up the VPN to? For example; at work I am using Cisco Pix 501s to have a permanent VPN between the two offices.

[stingwray]

You want a site to site tunnel with IPsec probably. The router basically bridges the two networks over the WAN interface, with encryption of course.

[Sparda]

It's for partly for my personal interest, but it's also for a network desighn for one of my asighnments. We have to tehoreticly connect 60 schools to a head office. In the surgested desighn there is no security or practicality (to be honist this asighnment is more about buying things on the internet then any thing else). Any way, I asked if I could use a leased line for a direct connection between the School and headoffice, but it's two expencive. So the Internet is the only practical medium, so there needs to be a perminant VPN between each school and the head office, so a hardware based solution would be best.

I would also like to point out in this desighn it's surgested that you have two seperate PC specifications for both the Admin computers (Admin = staff (no idea why)) and the students. This of course is stupid so i droped this idea (every one else seemed to stick to it though).

For this bit of the netywork you have to show this dispite it been quite obsurd. The admin and student computers have diffrent IP addesses (Student computers would have 192.168.1.x and admin would have 192.168.2.x), now that seems like a usfull thing for IP filtering. However the parcticality of implimenting this is rediculose. How is the DHCP server going to know which computer is an Admin computer or a student computer?! The local admin goes around writing down MAC addresses and enters them in the DHCP server?! I think not! As I said, dispite this been quite obsurde, you have to do it, you have no choice.

[Uncle Toxie]

If they will not allow you to have a leased line then you don't really have a lot of choice. Find yourself a VPN device and throw it in threre. Like I said before, I am currently using a Cisco Pix 501, I just put in an order for a pair of Sonicwalls, I think it is the TZ170, can't recall off the top of my head.

What you are describing sounds a lot like the final project I had to do to get my degree. What we did was set up a VLAN to seperate the student side and the admin side. You are going to want to seperate the two, take my word for it. There are just too many people like us that could exploit the hell out of the fact that those two aren't seperated! :twisted:

[stingwray]

You can always block connections through the tunnel for IP requests to the DHCP servers.

But I don't think it will cause too much of a problem. If memory servers because you have a router creating the tunnel the computer doesn't know the other network really excists until it is on the network. Because it doesn't know the location of the router/gateway.

For this type of set up you have to have different IP ranges to prevent muddling up which computers are where. So the router nows if it gets a packet for 192.168.1.x then it has to send it to the VPN gateway because it is on the 192.168.0.x range.

[tenty]

I would also like to point out in this desighn it's surgested that you have two seperate PC specifications for both the Admin computers (Admin = staff (no idea why)) and the students. This of course is stupid so i droped this idea (every one else seemed to stick to it though).

Actually, this is not as stupid as you think. It really depends on the specifications and needs for the students/staff. I.E. student PCs might need a CD-RW/DVD-RW drive for backing up photoshop images because they do an arts subject, however Admin Staff might only need a CD-RW/DVD Drive because everything is backed up to the network attached storage.

For this bit of the netywork you have to show this dispite it been quite obsurd. The admin and student computers have diffrent IP addesses (Student computers would have 192.168.1.x and admin would have 192.168.2.x), now that seems like a usfull thing for IP filtering. However the parcticality of implimenting this is rediculose. How is the DHCP server going to know which computer is an Admin computer or a student computer?! The local admin goes around writing down MAC addresses and enters them in the DHCP server?! I think not! As I said, dispite this been quite obsurde, you have to do it, you have no choice.

Again, not as absurd as you think. Using VLANs you can designate that all student PCs plugged into specific ports are automatically assigned a "student ip address range". Likewise, for staff. This is usually a good idea because you wouldn't want a student impersonating a staff machine and getting information such as payroll or student records.

In a small LAN, it's quite easy to record the MAC address of each PC and enter it into a DHCP server. In fact, it's best practice to record the MAC address, serial number, and slap an asset barcode onto the machine to know that it's the company's.

As for your hardware solution. I believe a cisco VPN concentrator would do, else you could budget on a smaller scale for say a DLINK router that actually does VPN between routers and do it site to site instead of site to endpoint

[Sparda]

The Admin computers are to perform no more tasks then the student computers, as such having a seperate specification is just not nessasery.

There are 120 computers... recording all there MAC addresses would be rather impractical. As I said, the IP address range of the Admin and student computers been seperate would be usfull, however, I still do not see how the DHCP server will know which computers are admin computer and whcih are student (short of writing down all the MACs and entering them into the DHCP server).

[tenty]

The Admin computers are to perform no more tasks then the student computers, as such having a seperate specification is just not nessasery.

As I said, it depends on the TASK of the computers. If both are doing word processing then, you are completely correct. They can be the same spec machine.

There are 120 computers... recording all there MAC addresses would be rather impractical. As I said, the IP address range of the Admin and student computers been seperate would be usfull, however, I still do not see how the DHCP server will know which computers are admin computer and whcih are student (short of writing down all the MACs and entering them into the DHCP server).

Again, I work at a school that runs close to 200 staff laptops, 100 student access computers (desktops), and 1000 student laptops. Every mac address is recorded. The Laptops MUST be entered into radius. They get their ip address that way. The desktops are all entered into DHCP and the switches are configured with a cisco setting called "Port Security" so that no one can just plug in.

Believe me when I say recording ALL MAC addresses is a task that IS done. And the university that I used to attended, have all the MAC addresses imported into the LDAP directory for re-imaging and ip addressing via Novell's eDirectory.

Edit: I neglected to mention that the University has close to over 1000 student access computers across just one campus. There are 5 campuses. Do the sums.

[harrison]

There is a router to router VPN from my office to my house. So my home network is permanently connected to my work network. We are using Sonicwall firewalls to do this. Contact me off list if you want more info.