Is it time to convert from frame relay to a vpn?

Archived from groups: comp.dcom.vpn,comp.dcom.xdsl,comp.dcom.frame-relay (More info?)

I'm sending this on behalf of someone who would prefer not to identify
himself or his company.

He is responsible for a corporate network connecting a main site to
about 20 branch sites. Right now the branch sites are connected with
frame relay, with CIR speeds varying from 128kbps to 512 kbps. The HQ
has a T1 frame relay connection which is sometimes congested, and a
separate T1 to the Internet. The frame contract is apparently up
soon.

He is wondering about the experiences others are having with
converting over to an ipsec VPN running over the Internet. Most of
the branch offices have access to DSL, and the few that don't can get
a T1 split up for voice and data. He could eliminate the frame port
at hq, and replace it with a 3Mbps internet connection. The overall
cost seems quite a bit lower, but service availability is important.
It is ok for a branch office to be down for part of a day, but hq must
be able to reach most offices at pretty much all the time. His frame
service has been reliable for the past few years. If he converts to a
VPN, he thinks he can get all sites connected from a single ISP.

Anyone go through this, or thinking about going through this?
Comments are welcome.

Bill

Archived from groups: comp.dcom.vpn,comp.dcom.xdsl,comp.dcom.frame-relay (More info?)

Bill Paxman wrote:

> I'm sending this on behalf of someone who would prefer not to identify
> himself or his company.
>
> He is responsible for a corporate network connecting a main site to
> about 20 branch sites. Right now the branch sites are connected with
> frame relay, with CIR speeds varying from 128kbps to 512 kbps. The HQ
> has a T1 frame relay connection which is sometimes congested, and a
> separate T1 to the Internet. The frame contract is apparently up
> soon.
>
> He is wondering about the experiences others are having with
> converting over to an ipsec VPN running over the Internet. Most of
> the branch offices have access to DSL, and the few that don't can get
> a T1 split up for voice and data. He could eliminate the frame port
> at hq, and replace it with a 3Mbps internet connection. The overall
> cost seems quite a bit lower, but service availability is important.
> It is ok for a branch office to be down for part of a day, but hq must
> be able to reach most offices at pretty much all the time. His frame
> service has been reliable for the past few years. If he converts to a
> VPN, he thinks he can get all sites connected from a single ISP.
>
> Anyone go through this, or thinking about going through this?
> Comments are welcome.
>
> Bill

I'm just about to finish such a setup at my workplace. Right now there are
about 20 branch offices connected to the main office. The branch offices
contract their own internet access, varying from 128k ISDN bundles to DSL
and Cable connections where available. One office only has a wireless
connection. The offices are mostly in the US, some in Canada and
Switzerland.

For the half year the VPN has been operational there were no major problems.
We have one office where the VPN breaks about once an hour, but it
re-establishes immediately and is as such hardly noticeable.

Right now the VPN is based on PPTP for historical reasons, but I do hope on
converting it over to IPSec. The concentrator at the office is a Linux box
which also acts as IDS and central control for any access from and to the
internet.

We also have a few roaming users who either telecommute on a regular basis
or simply need access to company data for one reason or another.

The only grief I have with this solution is that there is no single contact
for all the office internet connections. If something goes wrong I have to
look up which ISP runs which Office connection and call whatever hotline
they have.

From my past experience with frame relays I'd say a VPN is just as stable -
but a lot cheaper, and doubles as a nifty access point for teleworkers.

Hope this helps
Jen

Archived from groups: comp.dcom.vpn,comp.dcom.xdsl,comp.dcom.frame-relay (More info?)

[ followup-to set, to comp.dcom.vpn ]

In comp.dcom.vpn Bill Paxman <william.paxman@siliconboston.com> wrote:

> He is wondering about the experiences others are having with
> converting over to an ipsec VPN running over the Internet. Most of
> the branch offices have access to DSL, and the few that don't can get
> a T1 split up for voice and data.

This should work pretty nicely, with a couple of caveats:

- If possible, get all the branch office and the main office internet
connections from the same provider. Staying on one backbone will greatly
decrease transient connectivity problems (primarily latency and
packet loss) due to peering issues between ISPs.

- However, unless you're really not staffed or savvy enough to run the
vpn routers yourself, don't let the ISPs sell you on their "managed VPN"
services. Almost any TCO argument they advance along "save on administration
time" lines can be countered by "mean time to restoral" ... your milage may
vary, of course.

- Get static IPs for every connection. Don't cheap on out the
"29.99/mo" PPPoE DSL setups, or no end of headaches will result. Static
IPs make it possible to
- do interoperability between different vendor products so you can
pick the best product for each type of office
- easily make a 'mesh' of vpn tunnels between offices that talk to
each other a lot, rather than needing a 'hub-and-spoke' topology
where everything goes back to the central office and then back out
to its destination
- *most importantly* allows you to initiate the tunnel from either
end in case of a reboot, or in case you (at the central office)
have to initiate a connection after the SAs have expired.

Good luck.

--
Eric Sorenson - Systems / Network Administrator, MIS - Transmeta Corporation