Sign in with
Sign up | Sign in
Your question

Help Setting up a VPN

Last response: in Networking
Share
Anonymous
September 21, 2004 1:50:58 AM

Archived from groups: comp.dcom.vpn (More info?)

I need some guidance in setting up a network for a small doctor's office.

They getting Verizon DSL in the office for there 12 or so computers. They
also have two satellite offices.

They have a ten year old server that runs their scheduling. The server is
using an old terminal based interface and the PC's in the office and the
satellites just need to get to an IP address. So no Windows Server or any
thing fancy on the network. Also,the main office will get a static IP
address.

My first thought was to install something like this a Linksys 10/100 16-Port
VPN Router RV016 at the office. It will handle the firewall that privacy
laws require and has enough ports to handle all the computers in the office
the multiple vpn connections. I would also install a Linksys EtherFast
Cable/DSL VPN Router with 4-Port 10/100 Switch BEFVP41 in each of the
offices and then figure out how to hook in all up.

In doing some research I only here bad things about the RV016 and it may not
be the best solution.

I did find some info on how to hook up two BEFVP41's together. Can I hook
up two BEFVP41's to one other BEFVP41?

Or should I be looking to do this some other way.

thanks

More about : setting vpn

Anonymous
September 21, 2004 10:40:19 AM

Archived from groups: comp.dcom.vpn (More info?)

Cliff Hartle wrote:
> I need some guidance in setting up a network for a small doctor's office.
>
> They getting Verizon DSL in the office for there 12 or so computers. They
> also have two satellite offices.
>
> They have a ten year old server that runs their scheduling. The server is
> using an old terminal based interface and the PC's in the office and the
> satellites just need to get to an IP address. So no Windows Server or any
> thing fancy on the network. Also,the main office will get a static IP
> address.
>
> My first thought was to install something like this a Linksys 10/100 16-Port
> VPN Router RV016 at the office. It will handle the firewall that privacy
> laws require and has enough ports to handle all the computers in the office
> the multiple vpn connections. I would also install a Linksys EtherFast
> Cable/DSL VPN Router with 4-Port 10/100 Switch BEFVP41 in each of the
> offices and then figure out how to hook in all up.
>
> In doing some research I only here bad things about the RV016 and it may not
> be the best solution.
>
> I did find some info on how to hook up two BEFVP41's together. Can I hook
> up two BEFVP41's to one other BEFVP41?
>
> Or should I be looking to do this some other way.
>
> thanks

If you are dealing with medical data then maybe the best advice is to
get someone experienced in setting up VPN's and doing network security
to help you out.

That being said, I have never used the Linksys equipment but I have
heard it's not too bad but you basically have to figure things out
yourself as the level of tech support doesn't cover VPN setup very well.

I personally use Netopia 3386-ENT devices for this kind of setup (small
scale, only requires moderate performance over less than 5Mbps internet
links). They are cheap, and support a wide range of VPN protocols
including PPTP and IPSEC 3DES.

In generic terms any IPSEC equipment you purchase will likely do the job
as long as the hardware or software is not full of bugs.

Setup each office with a different but similar set of private IP
addresses.

Head office 10.0.10.0/24
Branch 1 10.0.20.0/24
Branch 2 10.0.30.0/24

Create IPSEC vpn links between each site. If you have static IP's at
each site then you should use main mode, if you have static at the head
office but dynamic IP's at the branch offices then you will use
aggressive mode. (main mode requires the static IP's and is considered
slightly more secure)
If you branch offices use dynamic IP's then you will likely want to
setup some kind of dynamic DNS registration. Make an account at
www.dyndns.org and register a dynamic hostname. Install a client like
directupdate (www.directupdate.net) to automatically update the
registration when your IP address changes.

Setup your tunnels on each side with exactly the same settings. The
only difference should be in the local and remote subnet settings and
the remote tunnel endpoint address.
Main office (2 tunnels)
Tunnel for office 1:
Local subnet: 10.10.0.0/16
Remote subnet 10.10.20.0/24
Remote Tunnel endpoint: remote1.dyndns.org
Tunnel for office 2:
Local subnet: 10.10.0.0/16
Remote subnet: 10.10.30.0/24
Remote Tunnel endpoint: remote2.dyndns.org
Office 1
Tunnel to main office:
Local subnet: 10.10.20.0/24
Remote subnet: 10.10.0.0/16
Remote Tunnel endpoint: xxx.xxx.xxx.xxx (headoffice static ip)
Office 2
Tunnel to main office:
Local subnet: 10.10.30.0/24
Remote subnet: 10.10.0.0/16
Remote Tunnel endpoint: xxx.xxx.xxx.xxx (headoffice static ip)

All the other configuration options for the tunnels will be the same on
either end. Different implementations of IPSec will have slightly
different options you may configure. If you want to configure behaviour
on the routers to maintain the tunnel connection even when there is no
traffic going through then you will need to read your manual. I know on
the Netopia routers I use frequently I need to go and set the idle
timeout to 0 seconds to force it to maintain the IPSec tunnels all the
time. If your routers implementation of IPsec does not like the little
trick of setting the main office tunnel subnet to 10.10.0.0/16 then you
will need to create a separate tunnel between the two branch offices if
you wish for computers in one branch office to see computers in the
other branch office. In this example traffic between the two offices
would pass through the head office. It would be faster to have a
separate tunnel but as the number of branch offices increased, the
number of tunnels required to interconnect all sites together becomes
unmanageable.


There are some implementations of IPsec that have some vendor specific
extensions that might be nice. A good example is compression of the
data stream before it is encrypted and sent. This can sometimes double
the speed of some applications data or at other times it will slow
things down if the data was already highly compressed. When it works
it's great though. An example of a vendor who has encryption is the
Nortel Contivity line. (The netopia boxes I mentioned do not have
compression, I don't think they have the horsepower for it)



--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
November 12, 2004 10:16:43 PM

Archived from groups: comp.dcom.vpn (More info?)

tnx Mike - helpful reading your posts on setting up small VPN -
-
!