VPN Tunneling Question

[MulLa]

A friend of mine wants to setup a head office / branch office situation for 1 head office and potentially 20 branches. Well branches are really just some mobile workers. He's set on providing them with an ADSL connection and a router preconfigured to a VPN tunnel to the HQ.

I'm proposing that he use a Linksys RV042 in the head office and one Linksys BEFSX41 at each branch.

My question is about subnetting. Having refreshed my memory on it and doing a bit of digging I propose the following setup:

Using a class A network and 255.252.0.0 as mask I'll have the following subnets:

10.0.0.0
10.4.0.0
10.8.0.0
10.12.0.0
etc... etc...

Will this work??


Thanks heaps in advance!

 

[JRock]

Since these are technically not "Branches" I personally would not use a hardware solution on their end and seup tunnels. Rather I setup client to vpn connections for them. Each remote user has the client installed on their computer then when the need to do work they connect via vpn to the office. If these are home users there is no need to have them connected to you 24/7.

JMO.

Depending on the head office size you can try the following solutions.

Cisco Pix 501 (comes in 10, 50 and unlimited user bundles)

or

Cisco Pix 515E (what I would go with)

 

[MulLa]

Thanks for the response. I've originally suggested to him that it's best to just use VPN clients instead of a site to site setup. Unfortunately, some of these locations are for his travelling users to work from. Shared office space for this sales force.

Sometimes there are up to 5 people in each of these locations, sometimes there are none. Thus there's probably a need for a hardware based solution.

I know Cisco might be the sure fire way to go, but money is a real issue for this project.

 

[p0lar]

The Cisco PIX is an easy device to configure, but its performance leaves much to be desired in today's VPN world.. you'll need their crypto accelerator to get any real performance, but be prepared to shell some serious coin.

Have you looked at OpenVPN?

Using OpenBSD and an inexpensive crypto accelerator (L=Soekris]http://www.soekris.com[/L] -- OR -- a Via Mini-ITX board such as the MII-12000, SP-13000, (or other fully charged Vias with on-die crypto acceleration functions), you can build an inexpensive, performance-oriented solution that can handle some serious volume. If you want to use inexpensive endpoints, you could even use the LinkSys WRT54GS routers as network endpoints. My testing showed they could route around 250pps using an AES-128-CBC cipher, up to ~3mbit/s of ordinary web traffic. You will need to familiarize yourself with OpenWRT, but it is an inexpensive solution. I currently have about 8 of these deployed for the last six months with absolutely no issues for a different scenario (cost-oriented similarities).

Could the PIX fill the same job? You bet. At the same price? Not a chance.

Here is the catch.. there's a steep learning curve if you've not delved much into R&S or Unix-like operating systems. The good part is that once you're acclimated with it, your options are vastly superior to that of canned solutions.

 

[qaa541]

That will work but those seem like they are some really large subnets for your branches("mobile workers")!

It should work fine using the Linksys boxes you proposed. Just be aware of the max tunnels (30) of the RV042. Site-to-site VPN is convenient because the users will not have to establish a tunnel per person, and the entire branch office could share a site to site vpn tunnel. Site-to-site VPN tunnels using Linksys boxes aren't hard to setup. Just send me a PM if you have any problems once you get started but it should be pretty self-explanatory. Try to get static ip's for your ADSL clients to make things easier. Otherwise you might have to go with DDNS to keep track of new DHCP leases.

 

[Brazen]

I don't really understand why you chose such large subnets either 😕 but I guess it doesn't really matter. I suppose it will come in handy if he ever expands from 5 to 200,000. Except, will the linksys handle such subnets? I've never used their "business-class" stuff so I really don't know. My only _fear_ would be with the fact that it's shared office space. The always on vpn router solution is convenient and efficient for the mobile users, but it's also convenient for anybody else who shares that space to get to your network.

 

[MulLa]

Thanks guys for all your inputs, much appreciated.

Can someone suggest a better subnetting scheme then? I've never ever had to create more than 2 subnets per network in my life 🙂 (Experience is limited to VLANning off a wireless LAN 😀 )

My friend is going to be the one managing the stuff so I don't want it to get too complex coz he doesn't really know computer / network stuff that well Cisco / Linux based solution might not be so well suited to him.

Good call in regards to someone else walking in and just using the VPN connection. Maybe removing the router and locking it in a drawer when the last person leaves?!

 

[Brazen]

Well like I said, I don't know if the "business-class" linksys products would support that subnet or not. If it does, then it doesn't really matter. It's going to work the same, he would just have more or less available ip addresses for machines to use.

Most people though go with the classic 192.168.1.0/255.255.255.0 subnet. That will allow up to 254 machines (192.168.1.1 - 192.168.1.254). If he really wanted to restrict it down, he could go with something like 192.168.1.1/255.255.255.248 which would only allow 7 ip addresses for use (192.168.1.1 - 192.168.1.7).

I'll assume 1,778 ip addresses will be enough for the home site, then your subnets could look like this:

Home: 192.168.1.0/255.255.248.0
remote1: 192.168.8.0/255.255.255.248
remote2: 192.168.8.8/255.255.255.248
remote3: 192.168.8.16/255.255.255.248
remote4: 192.168.8.24/255.255.255.248

 

[MulLa]

Thanks Brazen! I'll just do that 🙂 Well, I've just picked up whatever is defaulted on me subnet calculator 😛

Thank you all for the comments / advice.