VPN Optimization question

Dustin.cisco

Hi,

I have 3 Questions

#1

My question is would using CHAP Authentication over a AES encrypted VPN site-to-site connection be unnecessary overhead? Would it be more practical to use PAP?

#2

I know VPN connection speeds are mainly dependent on the "cloud" and ISP the connection is going through but are their any tips or tricks for optimization?

#3 (Edited)

How does one configure VPN User Authentication through Active Directory on a Windows Server while having the VPN setup on a SonicWall Firewall?

instant000

Dustin.cisco wrote: »

Hi,

I have 3 Questions

Is this homework?

#1

My question is would using CHAP Authentication over a AES encrypted VPN site-to-site connection be unnecessary overhead? Would it be more practical to use PAP?

I would use CHAP, regardless. If protecting your passwords is unnecessary overhead, you need to throw away that AOL CD and get off dial-up.

RFC 1334 - PPP Authentication Protocols

#2

I know VPN connection speeds are mainly dependent on the "cloud" and ISP the connection is going through but are their any tips or tricks for optimization?

Yeah, only configure VPNs where needed. That is, configure it so that only traffic needing to go across the VPN goes there. Let the rest go out to the internet. That should save you a little stress on your connection. If there are some services (like file) that are really needed at the remote site, there are branch caching technologies available.

Some caching technology can be deployed, which can save you on your WAN spend $$$.

#3 (Edited)

How does one configure VPN User Authentication through Active Directory on a Windows Server while having the VPN setup on a SonicWall Firewall?

If you're using a Windows Server 2008 R2/Windows 7, use Direct Access
DirectAccess

I'm not that familiar with SonicWall products. At a past job, we configured user authentication via Active Directory, through a Cisco Agent. Wouldn't be shocked if SonicWall had a similar agent you could deploy to authenticate against AD.

ChooseLife

Dustin.cisco wrote: »

#1
My question is would using CHAP Authentication over a AES encrypted VPN site-to-site connection be unnecessary overhead? Would it be more practical to use PAP?

Unless there is VERY large stream of authentication sessions, the difference in overhead would be negligibly small, so I wouldn't worry

Dustin.cisco wrote: »

#2
I know VPN connection speeds are mainly dependent on the "cloud" and ISP the connection is going through but are their any tips or tricks for optimization?

Is this optimization for a VPN that seems significantly underperforming (something broken), or tweaking a normally working VPN to get slightly better performance?

Dustin.cisco wrote: »

#3 (Edited)
How does one configure VPN User Authentication through Active Directory on a Windows Server while having the VPN setup on a SonicWall Firewall?

Generally, you can set up RADIUS on one (or more) of the servers in AD, and then make the SonicWall authenticate against the RADIUS servers. Haven't used SonicWall myself, but Google has plenty of documentation for "SonicWall + VPN + RADIUS"

ChooseLife

instant000 wrote: »

That is, configure it so that only traffic needing to go across the VPN goes there. Let the rest go out to the internet.

Yes, enabling split tunneling can save a lot of VPN bandwidth. Just remember to make a conscious decision whether Internet traffic of the remote VPN clients/sites should be going directly out at the price of having no control over it (antivirus, etc).

Also, monitoring the VPN port will help to discover chatty remote hosts (misconfigured synchronization, p2p/Skype/Youtube/other-bandwidth-eater -app users on VPN with no split tunnel).

ajmatson

Dustin.cisco wrote: »

How does one configure VPN User Authentication through Active Directory on a Windows Server while having the VPN setup on a SonicWall Firewall?

Are you setting up a site 2 site VPN? or a client based VPN on the SonicWALL (ie. Global VPN or SSL VPN)