VPN between sites

Hello to all,

What would be the best way to VPN between 2 sites with a server in each?

Would it be with a hardware VPN or does Windows Server 2003 allow this without the use of a hardware VPN?

I would be really grateful if someone could provide me with urgent help with this and a typical ip configuration for each site.

A big thankyou to those who take their time out to answer this,

Kind regards,
Jeff

 

Personally, I'd go the hardware VPN route. Most dedicated hardware firewalls provide a VPN facility. For example, firewalls from manufactures such as Watchguard, SonicWall and Cisco

Things to be aware of:

• Make sure that you buy a device that terminates a VPN connect. Some routers offer a VPN solution, but actually all this is, is a facility to pass VPN through the router to an internal device that terminates the VPN (e.g. a server).
• The two networks you are connecting need to have different IP address spaces or you will not be able to route between the two. This results in you being able to set up a VPN connection, but not being able to access anything the other side of the VPN. Personally, I'd use 10.0.0.0/255.255.0.0 for one site and 10.1.0.0/255.255.0.0 for the other. However, if you prefer, you can use 192.168.0.0/255.255.255.0 for one site and 192.168.1.0/255.255.255.0. Any private address will do - as long as they are different from one another.

If you are on a really tight budget a router with a full VPN facility is an option. For example Draytek ADSL routers. However, a dedicated firewall is a better option I believe.

 

Thanks for the replies.

I have found out that at one site the server needs to be a backup domain controller. This is to be linked via VPN to the primary domain controller at another site. I feel that this maybe very slow, what do you think. Any ideas on the best way forward?

Many thanks,
Jeff

 

The thing to remember with VPN, is that the limiting factor tends to be the upload speed of the slowest link. With ADSL this can commonly be less that half a meg.

So replicating an AD over a VPN link is possible, but I'd recommend you trawl through the Active Directory literature for the tweaks you can make to reduce the replication traffic.

 

Check this out: http://www.hamachi.cc/
Highly secure.
Fast used UDP.
The diffirences between the free and commercial version besides more users is a control panel and more controls for the admin.
Zero config works like a charm.
Usefull as well if you want to get through a router for remote access easily.

 

Thankyou

With Hamachi, is this a case of just setting up an ADSL router at each site and installing Hamachi at both sites?

Thanks,
Jeff

 

Hamachi

Sorry not familiar at all with ASDL.
Hamachi creates a VPN over the internet.
Both sides need an internet connection.
A server ( at Hamachi I believe) coordinates the intial connection but after that the data flows between the users and does not go through the server in any way.
UDP protocol. Very fast. Secure from the top down ( or so the expert claimed). Zero configuration .

Here is a link to a setup of a private Network with Hamachi

http://www.lifehacker.com/software/...rtual-private-network-with-hamachi-201786.php

 

A couple of points:

The Hamachi product looks interesting. It appears to be just the sort of thing to use if you have roaming users who need to be able to connect from anywhere.

However, it is not a site to site solution. It is a PC to PC solution.

With a site to site solution, you set up one VPN connection, and that allows all computers on one site's network, to connect to all computers on the other site's network. You can then usually set up rules to restrict this access if necessary. The VPN connects between a gateway device (such as a hardware firewall) at each network. So just two devices to configure and one connection to maintain.

With the Hamachi set up you will need to install the product on every computer that you want to use the network VPN. So that's multiple installations to maintain.

I think the Hamachi solution will work, but if you want an easy life, I think a single site to site VPN set up will be a lot easier to maintain and manage. And easy maintenance and management also lends itself to being easier to secure.

By the way - many VPN solutions use UDP rather than TCP. It is not something unique to Hamachi.

 

OpenVPN

I strongly recommend to use the OpenVPN in BRIDGEd mode.
Very easy to set up, industrial security grade.

I use it over ~year now, very satisfyed with it's performances.

 

VPN between Servers

Hello everyone

Been a while since I have been on.


OK

I am with Reggie on the hardware. Hardware is almost always better than a software solution. I would take his advice here.

As pointed out by Reggie Hamachi is Workstation to Workstation.

But if hardware is not suitable at this time then here is how to do it.


You are dealing with Servers here. I doubt that you can even install or get Hamachi to run on Server.

Besides the 2 servers have all you need.

Hopefully you have a Static WAN (internet) IP on at least one or both of the Servers.

If you only have one Static WAN (internet) IP then it should be the receiver/answerer "Accept incoming connections ".

In network control panel create an incoming VPN connection "Accept Incoming connections" on this Server.

In your Router (at the Accept incoming connections computer), Port map (forward) port 1723 (the VPN port) to the local LAN IP of the Server to accept incoming connections.

In the setup of the outgoing Server set it to connect to the Static WAN (internet) IP of the computer to Accept incoming connections.

I assume you know how to set up the Users and permissions on the connections. Also there may be other adjustments to the Router depending on how it is set up now.

The speed of this connection will be the speed of the slowest ASDL/DSL/Cable T1 or whatever you have. Say Server 1 is on ADSL at 6Mbps and Computer 2 is on T1 at 15Mbps etc, then 6 will be the speed governor.

Mike

 

Hi Mike - what a great supprise Welcome back.

Happy Holidays to you and yours.

Charles

 

Thanks Charles

The same back at you, 100 fold, all the best.

Mike