SOHO site-to-site VPN suggestions

dynamik

I need to connect two small offices. I don't have all the details yet, but there's only a handful of users at each location. They just need to do some basic file sharing and things like that. Their connection is probably business cable or DSL. Does anyone have any suggestions for equipment to use for this? I don't have to stay within a specific budget, but it should be reasonable and appropriate for their needs.

shednik

dynamik wrote:

I need to connect two small offices. I don't have all the details yet, but there's only a handful of users at each location. They just need to do some basic file sharing and things like that. Their connection is probably business cable or DSL. Does anyone have any suggestions for equipment to use for this? I don't have to stay within a specific budget, but it should be reasonable and appropriate for their needs.

What are you using at your main office for connectivity ?? ie circuit and hardware

120nm4n

Is a software only VPN an option? Otherwise, I use SonicWalls and have had pretty good luck with them. They make an appliance called "SonicWALL SSL-VPN 200–SSL VPN Appliance" that might do what you're looking for.

dynamik

shednik wrote:

What are you using at your main office for connectivity ?? ie circuit and hardware

There is no main office. This is a side job for me for a small business with two locations. I guess one office is technically the main office, but it's not distinguishable from my point of view

I assume they just have a basic linksys router or something like that in place currently. I'll probably just replace whatever they currently have.

120nm4n wrote:

Is a software only VPN an option? Otherwise, I use SonicWalls and have had pretty good luck with them. They make an appliance called "SonicWALL SSL-VPN 200–SSL VPN Appliance" that might do what you're looking for.

Software's not really an option. They only have a few workstations at each place; they're not even a domain environment. I think it'd be easier and more reliable to go with a hardware solution. I was thinking about SonicWall, but I've never used them before. I'll check out that model, thanks.

jibbajabba

Get RRAS on a Server and a Draytek router as client - job done :P

ilcram19-2

either a cisco 871x series router with the the advipservices or and 1800 with same version ios
the 871 a pretty good router that run about 300-600$ and there is a flexibility to do wireless networks and other routing and qos services.

Ahriakin

Aye a cheap decent router if all they will do is the VPN but if you also want internet access for each site consider a Cisco ASA 5505 ( [disclaimer] I know there are other good options out there from Juniper etc. I'm not being a fanboy, it's just what I'm most familiar with and know will work [/disclaimer] ). Even with the most basic license it'll do what you need perfectly (And you get the bonus of experience with them ).
The ASA QOS is not on par with that of a router (just one priority Q) but it has much stronger firewall features that would likely benefit a SOHO environment more. For a Cisco router to be an effective and easy to manage firewall you need a security license with CBAC enable which adds to the cost, CBAC effectively makes it a stateful firewall with some protocol inspection but the ASA has this natively (and it's more fully featured).

dynamik

Yea, they'd want internet as well. Why would an ASA be so much better than an 871 like ilcram suggested? Just a more robust firewall? To my knowledge, I'm not going to have to do anything besides throw all the machines behind NAT anyway. Is this the one you're talking about: http://www.newegg.com/Product/Product.aspx?Item=N82E16833120135 It looks like there's a few others that get slightly more expensive, but it seems those just allow more users.

I think the big question is, can I fumble my through this with SDM and a little CLI knowledge? I'm currently slightly under CCNA-level.

Thanks to everyone who's responded

tiersten

What is the speed of the connection? If you start enabling things like IPS and VPN then some of the smaller routers won't be able to cope with high speeds.

dynamik

I really don't even know. I'm still trying to get all the details. A few megs maybe. They're not going to use anything like IPS, QoS, etc. They might even have their current connection directly connected to a machine with no firewall or anything. Seriously, it's a ghetto setup, and they're just looking to copy some files to and from a new location they're setting up. I'm actually doing the work for another IT company, so I'm kind of out of the loop (and not really in a position to suggest extra things, unless I want to do them out of charity).

The worst part is, the other location is out in Wisconsin, so I really want this to go smoothly. I seriously want to minimize the time I spend driving through cornfields

No offense, Robert...

Daniel333

They are pretty much giving away PIX on ebay now if budget is that tight.

Slowhand

I'm going to toss up another vote for SonicWall, simply for the sake of simplicity of the setup and the fact that they're pretty solid and secure devices. I'll also give a push for a lower-end ASA or even a PIX. An ASA because it's definitely comparable to Sonicwall and you'll probably get a whole lot better support and documentation for it. The PIX might save you some money, but they're all pretty much at the end of the line for support from Cisco, so you might feel some pain if you run into issues or need tech support. As far as price is concerned, you'll see similar ranges between Sonicwall, Cisco, and anyone else out there for the SOHO style firewalls/routers.

And, of course, you know you want to be able to brag about having set up Cisco firewalls. . . you know you do.

Ahriakin

Nat only adds relative obscurity and a golden rule of the business is 'Obscurity is not Security'. Besides the various attack mitigation features (like TCP interception etc.) the ASA can statefully/securely handle more complex protocols that open dynamic ports - the classic example being FTP whereby the eventual data transfer port is dynamically agreed between the server and client so simply recording state for the initial port 21 connection isn't enough but it gets a lot more complex when you move into muiltimedia protocols. Again a lot of this is added via CBAC on IOS routers but it's not as extensive or flexible.
Keep the same principals in mind if you look at other products.

dynamik

Ahriakin wrote:

Nat only adds relative obscurity and a golden rule of the business is 'Obscurity is not Security'.

Yea, I know. However, I don't think they're planning on having ANY unsolicited incoming connections. They have no clue what FTP is. Multimedia protocols!? No offense, but you seem to be a bit too big-time to gauge the needs of these tiny hick-town offices

Seriously though, I appreciate what you're saying. The only point I was making is that there's no point in having advanced features like IPS when I'm not going to be involved after the installation and no one there is going to have any clue what they're doing. Thanks for your input (you too, Slowhand)

kingpinofdisks

I am a consultant for SMB.

Try out 2 desktop machines running Monowall. The Dell Outlet will have machines for $200 each, if you can't find any leftovers to use.

http://m0n0.ch/wall/

I setup 4 offices (50 users total) with 4 Desktops running monowall about 3 years ago. Intel Celeron CPU, 512mb RAM, 40gb HD, 2 NICs each. Cheap. They have all 4 running still, never reboot, complain, or **** about it at all. Their 2 servers are in the 'main' office, so I just went hub&spoke for the IPSec topology. Friggin easy.

Monowall even runs a PPTP daemon, so users can just run the Windows VPN wizard to setup a VPN connection to the office. Again, no cost and easy setup. The PPTP talks to Windows IAS (i.e. Radius) without any problems.

Monowall has a stateful packet filter, DHCP, and IPSec capabilities built-in with a nice GUI. It can even store the config on a USB stick so you can boot a desktop from the CD & have it read the config from the USB key. If the desktop crashes, it is easy to wrangle another one into place.

A 1ghz Celeron can EASILY handle a 2MB connection with multiple IPSec tunnels and loads of internet connections. I mean <1% CPU doing all of that.

It is based on FreeBSD, one of the 2 most stable operating systems I have ever used - OpenBSD is the other super-stable one.

dynamik

That's pretty cool. The only thing that gives me pause is if they needed support and I'm not available (i.e. who would they call). However, I might look at setting up something like that at home, and I'm sure that'll come in handy in the future. I appreciate the suggestion, thanks.

ilcram19-2

with the 871 for example you'll get all the features of the internet router, plus ips, firewall, webvpn for ssl connection, qos for voice, dynamic vpns, vlans, Wlans, and much more, i have 10 of this deploy with a steful firewall configure and dynamic vpns and doing qos for the ip phones that connect to my phone system using the vpn tunnel.

jbaello

I would suggest implementing a riverbed if you are using a slow WAN link, we are using it and it's really awesome it does cache files that are continously being transferred so you get a 75 % decrease when transferring or replicating data over your slow WAN link.

rfult001

http://www.newegg.com/Product/Product.aspx?Item=N82E16833124160

SMB? You can try some of the linksys routers as well. VPN is being built into everything these days.

tiersten

jbaello wrote:

I would suggest implementing a riverbed if you are using a slow WAN link, we are using it and it's really awesome it does cache files that are continously being transferred so you get a 75 % decrease when transferring or replicating data over your slow WAN link.

Riverbed is really nice but probably a little expensive and overboard for this setup

It took a lot of work convincing my boss to even take them up on a demo but once it was in, everybody really liked it. We've had the Riverbed boxes installed for quite a while now and had no problems at all.

ilcram19-2

i would actually look more detail to the company expects, you know if the offices are growing, or if the company is expanding and adding more offices that way you wont end up buying more equipment, planning for the future is always good and will save you some money,
prepare for what is being ask, plan for the future and design for growth, lol just made tha up

networker050184

ilcram19-2 wrote:

i would actually look more detail to the company expects, you know if the offices are growing, or if the company is expanding and adding more offices that way you wont end up buying more equipment, planning for the future is always good and will save you some money,
prepare for what is being ask, plan for the future and design for growth, lol just made tha up

If the business grows and you have to upgrade them then that is more money for you

I will second ilcram19-2 with a small 800 series router with CBAC should be all you need to set up a site to site VPN.

ajs1976

I tried to setup a site-to-site VPN with Linksys, but didn't like the results. I'm had good luck with Multitech RouterFinder 820s.

When of the software vendors I work with requires Firebox 10e's. So far I like them, but haven't done much work on it.

dynamik

Thanks again everyone.

One thing I should probably add is that I'm doing this for a client of a small computer company that doesn't do this type of stuff. It's not like I don't care about addressing their future needs, advanced security, etc.; I'm just not getting hired (or paid) to deal with any of that. They just want me to pick out two pieces of equipment and make them talk to each other.

Slowhand

dynamik wrote:

I need to connect two small offices.

On second thought, I'm taking back all my advice. Why is it always about your needs? Ever thought about what the rest of us want?

Note: Yes, I'm in a goofy mood today. Don't ask, don't tell.

tiersten

Slowhand wrote:

dynamik wrote:

I need to connect two small offices.

On second thought, I'm taking back all my advice. Why is it always about your needs? Ever thought about what the rest of us want?

Note: Yes, I'm in a goofy mood today. Don't ask, don't tell.

Is it a school project though?

nel

Get a few cisco 871's. if you want a dedicated box for security it seems alot of smaller places go for sonicwall or you could get a small netscreen.

If i were you i would keep it simple because you dont want the hassle of the support afterwards if your not getting paid or even have a contract with them

msteinhilber

rfult001 wrote:

http://www.newegg.com/Product/Product.aspx?Item=N82E16833124160

SMB? You can try some of the linksys routers as well. VPN is being built into everything these days.

A lot of people I talk to in the industry around me shun Linksys or any other "consumer" grade hardware all together, but I can second the Linksys RV series routers. We have 3-4 dozen RV042's and RV082's that have been in operation for a number of years and they work very well. VPN connectivity is reliable, no real issues to speak of with the exception of a couple failed units that were of an early generation with poor capacitors that failed which has since been corrected. So if you see any reviews of only a year or two lifespan, that is likely from the very early models since I haven't had one fail on us in a couple of years now. As far as any reviews of locking up/overheating, most of these are wedged in tight places often times with a fairly basic server and the environment in many of these offices isn't very computer friendly with heat and dust - again, no issues - everything is monitored remote via SNMP and I don't see any slowdowns at all due to overheating.