Sign in with
Sign up | Sign in
Your question
Solved

Site-to-Site VPN Setup

Tags:
  • VPN
  • Cisco
  • Business Computing
  • Servers
Last response: in Business Computing
Share
February 27, 2014 9:49:27 AM

We are looking to set up a site-to-site VPN between our buildings. We have one admin building (where the server would be hosted), and roughly 20 sites to connect to it. We were looking to use a Cisco RV220W at the main site, and Cisco RV110W at all of the others. They are all small offices with 2-5 users and they only need to fetch some word documents off of the server and be managed through our active directory. Will this be efficient?

More about : site site vpn setup

February 27, 2014 11:30:10 AM

I'm not very familiar with the Cisco line of these firewall routers, so I don't know if there is a limitation on the number of concurrent site-to-site VPN tunnels based on licensing on the system itself. However, I think that twenty concurrent site-to-site VPNs may be quite a bit for one entry-level firewall like the RV220W to work with well. You won't need much on your remote sites to connect with (as they will only have one site-to-site tunnel back to your main office) but that main office is going to have a lot of traffic coming through it if you are doing file transfers and active directory at your main office. I'd suggest looking for something a little more capable, but that's just me. Someone else with a little more experience or knowledge of these Cisco lines may be able to pitch in some more information.

But it looks like your plan at least is the better way to go about this, setting up site-to-site VPN tunnels with matching firewall units. I've seen some places one to set up VPN using software on the server which each computer at each office must then connect back through or use a local server at each remote office to connect through software VPN to the main office and it ends up being more complex and more costly then just using a decent firewall VPN gateway device.
m
0
l
February 27, 2014 2:53:13 PM

Choucove,

The concurrent limitation on the RV220W is 25 IPSec tunnels, which gives me a little bit more faith in them. The only time I may do a software connection is at a couple of our buildings that only have 1 PC that is hooked directly to the modem. The main building is anticipated to get 30Mbps down, 3 Mbps up, would that be too low for the number of connections?
m
0
l
Related resources
February 27, 2014 3:31:52 PM

The 3 Mbps upload is the thing that would concern me about your bandwidth limitation for that number of concurrent site-to-site VPN tunnels, but that largely is determined by the amount of network traffic you are expecting from your remote sites simultaneously. If your remote sites are pushing data regularly then you have some decent headroom, but when they are all starting to pull files from your office, such as opening and working with saved documents at your datacenter, then things may start to crawl along.
m
0
l
February 27, 2014 5:31:23 PM

I would say that no more than 5 of the sites would be intensively using it at the same time. Have you had any experience with extending the domain through the VPN so I can use the domain controller for everyone?
m
0
l
February 27, 2014 7:41:32 PM

I haven't personally done this myself for testing, but from what I understand having talked with others is the problem comes in to DNS servers. If your remote sites are using your datacenter's domain controller for DNS, then all of your DNS requests have to go back to your datacenter through that VPN connection before they can go out again to the internet. For this reason when you have limited site-to-site throughput, I had heard others recommend setting up individual domain controllers and DNS servers (basic VMs) on those sites that needed it locally, and set them up as child controllers of your root domain controller at your main office.

Again, I haven't personally tested this yet so I can't give you very solid information to go off of there unfortunately but that is just what I have gathered from discussing it with others.
m
0
l
February 28, 2014 4:32:08 AM

Is it somehow possible to route internet requests to the ISP's DNS server, and route local requests to our networks DNS server? It seems like a idea, but I'm not sure how it would be done.
m
0
l

Best solution

March 3, 2014 6:13:49 AM

gdederick said:
Is it somehow possible to route internet requests to the ISP's DNS server, and route local requests to our networks DNS server? It seems like a idea, but I'm not sure how it would be done.


Yes and no.

Not possible to do on NT clients (assuming some version of MS client here).

You need a DNS forwarder at each site which is fairly low cost and easy to deploy. NT Server 20xx, configure the individual clients at each site to point to the local DNS forwarder. The forwarder acts as both a cache for internet related requests and can be configured to forward specific domain requests to your enterprise DNS servers. Though honestly making then Read Only DC's would probably be best, would significantly cut down on traffic to and from your main site. Also how many clients we talking per site? 4~10 isn't enough to justify a RODC but 11~20 or more will kill your main offices pipe with AD traffic.
Share
March 6, 2014 12:55:43 PM

The scariest part is the 3Mb up. You really need more upload bandwidth at your main pipe. Invariably external connections need more, whether it's because you want to setup IP phones for each location, do some video-conferencing, CDP, remote desktop, etc. There's also the case of upper-mgmt wanting to do more with remote offices.

In your case, you already said 5 "intensive" connections could occur, so I would want to get a better handle on the current bandwidth needs and then get more at the beginning with hopefully an option to go even higher.
m
0
l
!