My boss wants me to create a VPN between 5 offices so his programmer
can configure sql to replicate a database between all the offices. We
have netopia model R4652-T routers at each location with vpn
Ned Hart wrote:
> My boss wants me to create a VPN between 5 offices so his programmer
> can configure sql to replicate a database between all the offices. We
> have netopia model R4652-T routers at each location with vpn
> I found this document on netopia's web site which helps, but I'd
> appreciate some tips and links to better documentation.
It is not too hard to setup. The examples are pretty good. There are a
few things though.
1. Each site needs to have a unique LAN subnet. If two of the sites
have the same LAN subnet numbering then the VPN links get confusing
because you would need to setup NAT mappings which may not be compatible
with some protocols.
2. If you want to create a hub and spoke topology then it will help
immensely if you use similar subnet addressing for all sites. IE: All
sites start with 10.150.xxx.xxx.
I suggest using the following:
10.150.0.xxx for the main site.
10.150.1.xxx site 2
10.150.2.xxx site 3
10.150.3.xxx site 4
10.150.4.xxx site 5
With 5 sites you could also go with a fully meshed configuration with a
separate tunnel definition between each router. (4 tunnels per router)
But as you add sites the complexity multiplies and the Netopia routers
aren't very high performance.
Some tips on the Netopia products off the top of my head:
- You do not need to restart the router for configuration changes on
IPSec definitions. As soon as you hit commit, the setting change
- The WAN Event History logs are useful for troubleshooting though they
are not very detailed. Basically they will only tell you if you have
trouble with Phase 1 settings or Phase 2 settings. If you get an error
in Phase 1 then you have something wrong in the IKE Phase 1
configuration screens. If it has a problem with Phase 2 then the
problem is in the Connection Profile screens.
- Netopia does not support compression of IPSEC packets, hopefully your
application sends an effecient datastream.
- 4600 series has built in accelerator chip for VPN encryption
acceleration. It should be able to saturate your connection but it does
max out at 15 PPTP or IPSEC sessions. If you end up with a hub and
spoke configuration then I suggest a Nortel Contivity for your main site
if the performance or limits of the Netopia become a problem. I have
had good experiences getting the Contivity units to act as a central
router for a network using netopia routers at the branch offices.
- IPSEC routes do not show up in the routing table. You cannot use
static routes to move packets between IPSEC tunnels.
- If you absolutely require the ability to set static routes between
branches then you will need to use PPTP. The PPTP can be vulnerable to
a man in the middle style attack though this is still not likely as the
hacker would require access to change your routing at your ISP or some
point in the path between the traffic to your two sites.
- Netopia has a command line interface available by hitting CTRL+N at
the main menu. You can switch back to menu mode by hitting CTRL+N.
Some commands are more convenient in command line mode.
ie: "ping xxx.xxx.xxx.xxx", "show ip route", "reset", "exit", "show config"
- Netopia has pretty good tech support in my experience. Much better
than I would expect for such inexpensive equipment.
- I have never failed to get the Netopia units to talk to other Vendors
equipment. It doesn't always go smoothly but the Netopia units do a
good job of letting you change just about every standard parameter
available for basic IPSEC implementation.
- Static IP's are very nice to have but not essential for VPN
implementation with this equipment. You can do an agressive mode
connection if the endpoint addresses are changing and use a dyndns.org
client to update a hostname. Interoperability is harder without static
IP's to other vendors equipment.
Finally the sales pitch:
If you want someone to do this setup for you I can do the specific
configurations for you. Contact me to discuss fees for this service.
(Depends on how you would like things configured)
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)