Leased Line to be replaced by VPN

Hi,

I have plans to replace a leased line on our network with a broadnband VPN,
to save money.
Currently this goes between a site with about 4 PCs and the main site. Its
an unmanaged switch and all PCs are part of the same (NT4) domain.
How would be the best way to replace this?
Should I go for using dial-up networking for logon over the VPN? Or should I
set up a permanent VPN connection between 2 routers? Would I need a server
at the remote site to provide a permanent VPN?

Any advice you can give I'd be grateful for, or any website references. We
don't have the resources to just get in a 3rd party to do it for us, and
anyway, we'll learn more doing it ourselves!

Thanks
SW

1. Most people find the logon-using-dialup-connection client/server type
connection too clunky for constant every day use. A router to router VPN is
more desireable for logging onto the domain, but you would need a RRAS
server in both offices to do this with Windows software.

2. Probably you will be buying broadband routers anyway, so the
recommendation is to get routers with built-in hardware VPN capability and
use this capability to set up a router to router VPN. There are many low
cost products available - eg:

http://www.linksys.com/products/prod...id=29&prid=607

3. Get 2 identical routers. There is significant overhead in transmitting
encrypted data through a VPN tunnel, and the hardware solution frequently
gives noticeably better performance than a software solution.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> I have plans to replace a leased line on our network with a broadnband
VPN,
> to save money.
> Currently this goes between a site with about 4 PCs and the main site. Its
> an unmanaged switch and all PCs are part of the same (NT4) domain.
> How would be the best way to replace this?
> Should I go for using dial-up networking for logon over the VPN? Or should
I
> set up a permanent VPN connection between 2 routers? Would I need a server
> at the remote site to provide a permanent VPN?
>
> Any advice you can give I'd be grateful for, or any website references. We
> don't have the resources to just get in a 3rd party to do it for us, and
> anyway, we'll learn more doing it ourselves!
>
> Thanks
> SW
>
>

Doug

Thanks for your prompt and helpful reply.
I have some questions about your suggestions. We have an existing broadband
line at the main site that is used for internet access, email, and
occasionally, remote access via VPN. This is set as the default gateway.

I'm sure that I would need an extra broadband line at the main site to
create this permanent VPN, and of course I'd need a broadband line at the
remote site. I shouldn't use the existing one at the main site as there
would be too much traffic on it. Could you confirm that and also tell me how
the machines at the remote site would "find" the servers at the main site,
and vice versa? (I'm guessing that the new routers would need an internal IP
address at each end and that would be sufficient, the routers would do the
rest?)

Also, VPN at the moment is controlled by the RRAS server at the main site.
People need dial-in permissions before they can connect remotely. The router
to router method would mean that effectively, people at the remote site are
not using remote access at all to connect, they're logging on and being
authenticated by the DC at the main site just as they are at the moment over
the leased line?

Best Regards
Steve W

"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> 1. Most people find the logon-using-dialup-connection client/server type
> connection too clunky for constant every day use. A router to router VPN
> is
> more desireable for logging onto the domain, but you would need a RRAS
> server in both offices to do this with Windows software.
>
> 2. Probably you will be buying broadband routers anyway, so the
> recommendation is to get routers with built-in hardware VPN capability and
> use this capability to set up a router to router VPN. There are many low
> cost products available - eg:
>
> http://www.linksys.com/products/prod...id=29&prid=607
>
> 3. Get 2 identical routers. There is significant overhead in
> transmitting
> encrypted data through a VPN tunnel, and the hardware solution frequently
> gives noticeably better performance than a software solution.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
> news:%(E-Mail Removed)...
>> Hi,
>>
>> I have plans to replace a leased line on our network with a broadnband
> VPN,
>> to save money.
>> Currently this goes between a site with about 4 PCs and the main site.
>> Its
>> an unmanaged switch and all PCs are part of the same (NT4) domain.
>> How would be the best way to replace this?
>> Should I go for using dial-up networking for logon over the VPN? Or
>> should
> I
>> set up a permanent VPN connection between 2 routers? Would I need a
>> server
>> at the remote site to provide a permanent VPN?
>>
>> Any advice you can give I'd be grateful for, or any website references.
>> We
>> don't have the resources to just get in a 3rd party to do it for us, and
>> anyway, we'll learn more doing it ourselves!
>>
>> Thanks
>> SW
>>
>>
>
>

No, you don't need an additional broadband connection, unless the VPN
traffic overloads your current one. The routing is easier if both VPN and
Internet access use the same router and the same default gateway. If you
have two broadband links you will need extra routing to get the VPN traffic
to the "right" router.

The setup should work just like your current leased line setup if you go
to a router to router VPN link. The two sites use their normal private IPs,
and the VPN link is "invisible" to the client machines. It just looks like a
slow IP router.

"Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
news:(E-Mail Removed)...
> Doug
>
> Thanks for your prompt and helpful reply.
> I have some questions about your suggestions. We have an existing
> broadband line at the main site that is used for internet access, email,
> and occasionally, remote access via VPN. This is set as the default
> gateway.
>
> I'm sure that I would need an extra broadband line at the main site to
> create this permanent VPN, and of course I'd need a broadband line at the
> remote site. I shouldn't use the existing one at the main site as there
> would be too much traffic on it. Could you confirm that and also tell me
> how the machines at the remote site would "find" the servers at the main
> site, and vice versa? (I'm guessing that the new routers would need an
> internal IP address at each end and that would be sufficient, the routers
> would do the rest?)
>
> Also, VPN at the moment is controlled by the RRAS server at the main site.
> People need dial-in permissions before they can connect remotely. The
> router to router method would mean that effectively, people at the remote
> site are not using remote access at all to connect, they're logging on and
> being authenticated by the DC at the main site just as they are at the
> moment over the leased line?
>
> Best Regards
> Steve W
>
> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> 1. Most people find the logon-using-dialup-connection client/server type
>> connection too clunky for constant every day use. A router to router VPN
>> is
>> more desireable for logging onto the domain, but you would need a RRAS
>> server in both offices to do this with Windows software.
>>
>> 2. Probably you will be buying broadband routers anyway, so the
>> recommendation is to get routers with built-in hardware VPN capability
>> and
>> use this capability to set up a router to router VPN. There are many low
>> cost products available - eg:
>>
>> http://www.linksys.com/products/prod...id=29&prid=607
>>
>> 3. Get 2 identical routers. There is significant overhead in
>> transmitting
>> encrypted data through a VPN tunnel, and the hardware solution frequently
>> gives noticeably better performance than a software solution.
>>
>> Doug Sherman
>> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>>
>> "Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
>> news:%(E-Mail Removed)...
>>> Hi,
>>>
>>> I have plans to replace a leased line on our network with a broadnband
>> VPN,
>>> to save money.
>>> Currently this goes between a site with about 4 PCs and the main site.
>>> Its
>>> an unmanaged switch and all PCs are part of the same (NT4) domain.
>>> How would be the best way to replace this?
>>> Should I go for using dial-up networking for logon over the VPN? Or
>>> should
>> I
>>> set up a permanent VPN connection between 2 routers? Would I need a
>>> server
>>> at the remote site to provide a permanent VPN?
>>>
>>> Any advice you can give I'd be grateful for, or any website references.
>>> We
>>> don't have the resources to just get in a 3rd party to do it for us, and
>>> anyway, we'll learn more doing it ourselves!
>>>
>>> Thanks
>>> SW
>>>
>>>
>>
>>
>
>

Bill,

Thanks for your response.
You have raised more questions!

I'm not clear then about whether the existing broadband router will do the
job or whether I need to replace it. Its a Cisco 837. Its used currently as
I said for default gateway, and also for remote VPN access, web serving and
Outlook Web Access. If I use it to create a permanent VPN, won't this
exclude the occasional remote users and also prohibit use of our small web
server?
The router has an "Easy VPN" option that I've never used, and there's a note
on the router set up page that says if I use that, the PAT table entries
will be cleared. ("Enter the Easy VPN parameters provided by your VPN
service provider. The PAT and NAT parameters are removed when Easy VPN is
configured.")
The router documentation backs that up and says that the router should be
configured either as I've got it (that is, using manual PAT settings) or as
an "easy VPN" router.
So, is it possible to direct the permanent VPN through this router (using
Windows 2000 server?), or would Doug's recommended router be a better
option, and do all that I need it to, with a permanent VPN tunnel, and PAT
as well?
I've posted a question on a cisco ng regarding this.

Thanks again,

Steve W


"Bill Grant" <not.available@online> wrote in message
news:%(E-Mail Removed)...
> No, you don't need an additional broadband connection, unless the VPN
> traffic overloads your current one. The routing is easier if both VPN and
> Internet access use the same router and the same default gateway. If you
> have two broadband links you will need extra routing to get the VPN
> traffic to the "right" router.
>
> The setup should work just like your current leased line setup if you
> go to a router to router VPN link. The two sites use their normal private
> IPs, and the VPN link is "invisible" to the client machines. It just looks
> like a slow IP router.
>
> "Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
> news:(E-Mail Removed)...
>> Doug
>>
>> Thanks for your prompt and helpful reply.
>> I have some questions about your suggestions. We have an existing
>> broadband line at the main site that is used for internet access, email,
>> and occasionally, remote access via VPN. This is set as the default
>> gateway.
>>
>> I'm sure that I would need an extra broadband line at the main site to
>> create this permanent VPN, and of course I'd need a broadband line at the
>> remote site. I shouldn't use the existing one at the main site as there
>> would be too much traffic on it. Could you confirm that and also tell me
>> how the machines at the remote site would "find" the servers at the main
>> site, and vice versa? (I'm guessing that the new routers would need an
>> internal IP address at each end and that would be sufficient, the routers
>> would do the rest?)
>>
>> Also, VPN at the moment is controlled by the RRAS server at the main
>> site. People need dial-in permissions before they can connect remotely.
>> The router to router method would mean that effectively, people at the
>> remote site are not using remote access at all to connect, they're
>> logging on and being authenticated by the DC at the main site just as
>> they are at the moment over the leased line?
>>
>> Best Regards
>> Steve W
>>
>> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> 1. Most people find the logon-using-dialup-connection client/server
>>> type
>>> connection too clunky for constant every day use. A router to router
>>> VPN is
>>> more desireable for logging onto the domain, but you would need a RRAS
>>> server in both offices to do this with Windows software.
>>>
>>> 2. Probably you will be buying broadband routers anyway, so the
>>> recommendation is to get routers with built-in hardware VPN capability
>>> and
>>> use this capability to set up a router to router VPN. There are many
>>> low
>>> cost products available - eg:
>>>
>>> http://www.linksys.com/products/prod...id=29&prid=607
>>>
>>> 3. Get 2 identical routers. There is significant overhead in
>>> transmitting
>>> encrypted data through a VPN tunnel, and the hardware solution
>>> frequently
>>> gives noticeably better performance than a software solution.
>>>
>>> Doug Sherman
>>> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>>>
>>> "Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
>>> news:%(E-Mail Removed)...
>>>> Hi,
>>>>
>>>> I have plans to replace a leased line on our network with a broadnband
>>> VPN,
>>>> to save money.
>>>> Currently this goes between a site with about 4 PCs and the main site.
>>>> Its
>>>> an unmanaged switch and all PCs are part of the same (NT4) domain.
>>>> How would be the best way to replace this?
>>>> Should I go for using dial-up networking for logon over the VPN? Or
>>>> should
>>> I
>>>> set up a permanent VPN connection between 2 routers? Would I need a
>>>> server
>>>> at the remote site to provide a permanent VPN?
>>>>
>>>> Any advice you can give I'd be grateful for, or any website references.
>>>> We
>>>> don't have the resources to just get in a 3rd party to do it for us,
>>>> and
>>>> anyway, we'll learn more doing it ourselves!
>>>>
>>>> Thanks
>>>> SW
>>>>
>>>>
>>>
>>>
>>
>>
>
>

No, I wouldn't attempt that. You would almost certainly lose your
Internet connection, and it would be very messy. And you would need a RRAS
server at the second site.

Look at replacing the Cisco router with a router that supports
router-to-router VPN, and get a similar one for the other site. The router
will automatically tunnel traffic for the "other" site, but send normal
Internet traffic directly.

If you decide to use a second router and ADSL connection for the VPN, it
is not a major problem. You just need extra routing on the Cisco to redirect
the "private" traffic to the correct router (ie normal Internet traffic uses
the Cisco, traffic for the private site uses the new router). The second
site just sends everything over the VPN link by default. The VPN looks like
a direct link (or like a leased line).

With a setup like this, the clients aren't aware of the VPN at all. The
WAN seems like two segments connected by a (slow) router. VPN is not fast
over ADSL. Tunnelled traffic will travel at the lower (upload) speed, not
download.

There isn't a lot of documentation on a setup like this. The Microsoft
documents are aimed at using RRAS routers (naturally) and are not really
suitable for your needs.

If you want to follow this up you can reach me using grantaw at
aliencamel dot com.

"Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
news:%(E-Mail Removed)...
> Bill,
>
> Thanks for your response.
> You have raised more questions!
>
> I'm not clear then about whether the existing broadband router will do the
> job or whether I need to replace it. Its a Cisco 837. Its used currently
> as I said for default gateway, and also for remote VPN access, web serving
> and Outlook Web Access. If I use it to create a permanent VPN, won't this
> exclude the occasional remote users and also prohibit use of our small web
> server?
> The router has an "Easy VPN" option that I've never used, and there's a
> note on the router set up page that says if I use that, the PAT table
> entries will be cleared. ("Enter the Easy VPN parameters provided by your
> VPN service provider. The PAT and NAT parameters are removed when Easy VPN
> is configured.")
> The router documentation backs that up and says that the router should be
> configured either as I've got it (that is, using manual PAT settings) or
> as an "easy VPN" router.
> So, is it possible to direct the permanent VPN through this router (using
> Windows 2000 server?), or would Doug's recommended router be a better
> option, and do all that I need it to, with a permanent VPN tunnel, and PAT
> as well?
> I've posted a question on a cisco ng regarding this.
>
> Thanks again,
>
> Steve W
>
>
> "Bill Grant" <not.available@online> wrote in message
> news:%(E-Mail Removed)...
>> No, you don't need an additional broadband connection, unless the VPN
>> traffic overloads your current one. The routing is easier if both VPN and
>> Internet access use the same router and the same default gateway. If you
>> have two broadband links you will need extra routing to get the VPN
>> traffic to the "right" router.
>>
>> The setup should work just like your current leased line setup if you
>> go to a router to router VPN link. The two sites use their normal private
>> IPs, and the VPN link is "invisible" to the client machines. It just
>> looks like a slow IP router.
>>
>> "Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
>> news:(E-Mail Removed)...
>>> Doug
>>>
>>> Thanks for your prompt and helpful reply.
>>> I have some questions about your suggestions. We have an existing
>>> broadband line at the main site that is used for internet access, email,
>>> and occasionally, remote access via VPN. This is set as the default
>>> gateway.
>>>
>>> I'm sure that I would need an extra broadband line at the main site to
>>> create this permanent VPN, and of course I'd need a broadband line at
>>> the remote site. I shouldn't use the existing one at the main site as
>>> there would be too much traffic on it. Could you confirm that and also
>>> tell me how the machines at the remote site would "find" the servers at
>>> the main site, and vice versa? (I'm guessing that the new routers would
>>> need an internal IP address at each end and that would be sufficient,
>>> the routers would do the rest?)
>>>
>>> Also, VPN at the moment is controlled by the RRAS server at the main
>>> site. People need dial-in permissions before they can connect remotely.
>>> The router to router method would mean that effectively, people at the
>>> remote site are not using remote access at all to connect, they're
>>> logging on and being authenticated by the DC at the main site just as
>>> they are at the moment over the leased line?
>>>
>>> Best Regards
>>> Steve W
>>>
>>> "Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
>>> news:%(E-Mail Removed)...
>>>> 1. Most people find the logon-using-dialup-connection client/server
>>>> type
>>>> connection too clunky for constant every day use. A router to router
>>>> VPN is
>>>> more desireable for logging onto the domain, but you would need a RRAS
>>>> server in both offices to do this with Windows software.
>>>>
>>>> 2. Probably you will be buying broadband routers anyway, so the
>>>> recommendation is to get routers with built-in hardware VPN capability
>>>> and
>>>> use this capability to set up a router to router VPN. There are many
>>>> low
>>>> cost products available - eg:
>>>>
>>>> http://www.linksys.com/products/prod...id=29&prid=607
>>>>
>>>> 3. Get 2 identical routers. There is significant overhead in
>>>> transmitting
>>>> encrypted data through a VPN tunnel, and the hardware solution
>>>> frequently
>>>> gives noticeably better performance than a software solution.
>>>>
>>>> Doug Sherman
>>>> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>>>>
>>>> "Steve W" <antispamsteveW@=No-Spam=.org> wrote in message
>>>> news:%(E-Mail Removed)...
>>>>> Hi,
>>>>>
>>>>> I have plans to replace a leased line on our network with a broadnband
>>>> VPN,
>>>>> to save money.
>>>>> Currently this goes between a site with about 4 PCs and the main site.
>>>>> Its
>>>>> an unmanaged switch and all PCs are part of the same (NT4) domain.
>>>>> How would be the best way to replace this?
>>>>> Should I go for using dial-up networking for logon over the VPN? Or
>>>>> should
>>>> I
>>>>> set up a permanent VPN connection between 2 routers? Would I need a
>>>>> server
>>>>> at the remote site to provide a permanent VPN?
>>>>>
>>>>> Any advice you can give I'd be grateful for, or any website
>>>>> references. We
>>>>> don't have the resources to just get in a 3rd party to do it for us,
>>>>> and
>>>>> anyway, we'll learn more doing it ourselves!
>>>>>
>>>>> Thanks
>>>>> SW
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>