Advice on configuring a VPN for 5 offices using Netopia ro..

Archived from groups: comp.dcom.vpn (More info?)

My boss wants me to create a VPN between 5 offices so his programmer
can configure sql to replicate a database between all the offices. We
have netopia model R4652-T routers at each location with vpn
capability.

I found this document on netopia's web site which helps, but I'd
appreciate some tips and links to better documentation.
http://www.netopia.com/en-us/support/technotes/hardware/NQG_056.html

Thanks
NH
1 answer Last reply
More about advice configuring offices netopia
  1. Archived from groups: comp.dcom.vpn (More info?)

    Ned Hart wrote:
    > My boss wants me to create a VPN between 5 offices so his programmer
    > can configure sql to replicate a database between all the offices. We
    > have netopia model R4652-T routers at each location with vpn
    > capability.
    >
    > I found this document on netopia's web site which helps, but I'd
    > appreciate some tips and links to better documentation.
    > http://www.netopia.com/en-us/support/technotes/hardware/NQG_056.html
    >
    > Thanks
    > NH

    First, your technote is for Netopia to Linksys. The correct technote
    for connection of two Netopia routers is:
    http://www.netopia.com/en-us/support/technotes/hardware/NQG_053.html


    It is not too hard to setup. The examples are pretty good. There are a
    few things though.
    1. Each site needs to have a unique LAN subnet. If two of the sites
    have the same LAN subnet numbering then the VPN links get confusing
    because you would need to setup NAT mappings which may not be compatible
    with some protocols.
    2. If you want to create a hub and spoke topology then it will help
    immensely if you use similar subnet addressing for all sites. IE: All
    sites start with 10.150.xxx.xxx.
    I suggest using the following:
    10.150.0.xxx for the main site.
    10.150.1.xxx site 2
    10.150.2.xxx site 3
    10.150.3.xxx site 4
    10.150.4.xxx site 5
    With 5 sites you could also go with a fully meshed configuration with a
    separate tunnel definition between each router. (4 tunnels per router)
    But as you add sites the complexity multiplies and the Netopia routers
    aren't very high performance.

    Some tips on the Netopia products off the top of my head:
    - You do not need to restart the router for configuration changes on
    IPSec definitions. As soon as you hit commit, the setting change
    becomes active.
    - The WAN Event History logs are useful for troubleshooting though they
    are not very detailed. Basically they will only tell you if you have
    trouble with Phase 1 settings or Phase 2 settings. If you get an error
    in Phase 1 then you have something wrong in the IKE Phase 1
    configuration screens. If it has a problem with Phase 2 then the
    problem is in the Connection Profile screens.
    - Netopia does not support compression of IPSEC packets, hopefully your
    application sends an effecient datastream.
    - 4600 series has built in accelerator chip for VPN encryption
    acceleration. It should be able to saturate your connection but it does
    max out at 15 PPTP or IPSEC sessions. If you end up with a hub and
    spoke configuration then I suggest a Nortel Contivity for your main site
    if the performance or limits of the Netopia become a problem. I have
    had good experiences getting the Contivity units to act as a central
    router for a network using netopia routers at the branch offices.
    - IPSEC routes do not show up in the routing table. You cannot use
    static routes to move packets between IPSEC tunnels.
    - If you absolutely require the ability to set static routes between
    branches then you will need to use PPTP. The PPTP can be vulnerable to
    a man in the middle style attack though this is still not likely as the
    hacker would require access to change your routing at your ISP or some
    point in the path between the traffic to your two sites.
    - Netopia has a command line interface available by hitting CTRL+N at
    the main menu. You can switch back to menu mode by hitting CTRL+N.
    Some commands are more convenient in command line mode.
    ie: "ping xxx.xxx.xxx.xxx", "show ip route", "reset", "exit", "show config"
    - Netopia has pretty good tech support in my experience. Much better
    than I would expect for such inexpensive equipment.
    - I have never failed to get the Netopia units to talk to other Vendors
    equipment. It doesn't always go smoothly but the Netopia units do a
    good job of letting you change just about every standard parameter
    available for basic IPSEC implementation.
    - Static IP's are very nice to have but not essential for VPN
    implementation with this equipment. You can do an agressive mode
    connection if the endpoint addresses are changing and use a dyndns.org
    client to update a hostname. Interoperability is harder without static
    IP's to other vendors equipment.

    Finally the sales pitch:
    If you want someone to do this setup for you I can do the specific
    configurations for you. Contact me to discuss fees for this service.
    (Depends on how you would like things configured)

    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Ask a new question

Read More

VPN Configuration Networking