Site to Site VPN Routers

7 posts

23 Feb 2010 at 3:24 p.m. UTC

Hi,

Can someone recommend cisco routers support site to site VPN. I already have a ASA but am looking to purchase some cisco routers to support multiple sites.

Thanks in advance

laith43d

109 posts

23 Feb 2010 at 4:03 p.m. UTC

815-VPN, is the cheapest Cisco router that supports IPsec site-to-site, ASA5505 is cheaper that 815-VPN.

Vyatta, either hardware appliance or software is cheap, you can install it on old i386 or even micro-computer.

In regards to server side, you can use ASA5510, or a crypto module with 3845 or 7200, I don't know if there are cheaper options, that what we used to use.

Cheers,

chava20

7 posts

23 Feb 2010 at 8:07 p.m. UTC

I meant for teh remote hardware end I 've used a 2851 to an ASA just wanted to know if anyone knew of other perhaps more cost effective hardware models

dantel

36 posts

24 Feb 2010 at 2:53 a.m. UTC

I think something to consider is how much traffic you'll be putting across this. I have a 2801 router that also has the crypto co-processor hardware in it and when we push toward 15Mbps of VPN traffic through the router, it is very processor bound. If you are not going to move that much traffic then a budget router will be fine.

Why though do you need the router? as laith43d mentioned, the 5510 is an option and I think ASAs are optimized to handle more VPN traffic than a budget router but that's just my opinion - an ASA 5505 also seems to handle some of my site to site traffic fairly well and that was way less than $1,000.

chava20

7 posts

24 Feb 2010 at 2:48 p.m. UTC

Excellent point, I already have a 5510 on the server side I will look into the asa5505.

My familiarity with configuring the routers is better than ASA but always room to learn. Thanks guys.

laith43d

109 posts

24 Feb 2010 at 4:30 p.m. UTC

You welcome :)

Pervis

6 posts

25 Feb 2010 at 4:18 p.m. UTC

In setting up site-to-site VPNs, you'll also want to consdider what type of tunnel you'll be using as it will have consequences on your hardare. For a basic IPSec VPN, the opinions above are correct that routers or ASAs will work fine. But if you are looking for features such as VTI or GRE over IPSec, these are only supported on the router platform. If this is for internal business VPNs, I would strongly lean towards using either VTI or GRE over IPSec because of the added flexibility that they provide. In terms of hardware, 2800/2900 or 3800/3900 series routers should be fine, as long as they are sized to your environment.

You can reference Table 12 on the following page to check IPSec performance on the 2800 platform. Unfortunately I have been unable to find a similar table for the 3800 series platform.

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80169bd6.html

ciscocrank

28 posts

27 Feb 2010 at 1:47 p.m. UTC

laith43d

Vyatta :- is it support bandwidth controll for tunnel

laith43d

109 posts

27 Feb 2010 at 3:55 p.m. UTC

Yes, it is supported.

ciscocrank

28 posts

13 Mar 2010 at 12:05 p.m. UTC

hi MR laith43d

vyatta is good option for vpn but I got a problem :- how I can disable muliple login from diffirent PC using the same user acount in vpn access server

thank you

laith43d

109 posts

13 Mar 2010 at 7:29 p.m. UTC

what VPN configuration do you use? what VPN type? what version of Vyatta?

ciscocrank

28 posts

15 Mar 2010 at 9:08 a.m. UTC

Version : VC5.0.2

VPN type remote access with local account athentication

File Attachments

vpn.txt

laith43d

109 posts

15 Mar 2010 at 10:52 a.m. UTC

BTW, you do not need any "outside-nexthop 10.0.88.1", you just need to configure a default gw via a static route.

e.g: set protocols static route 0.0.0.0/0 next-hop x.x.x.1

I have identical configuration using pptp, no problems at all, anyway, l2tp implementation for Vyatta is so buggy, for example, try to connect to the same machine with two different clients, it is not possible, i.e. it does not allow more than one login per session. In regards to this issue, you can refer to the huge amount of discussions on Vyatta.org/forum site about this particular topic.

PPTP is feasible, its newer version is secure enough for small to medium businesses, if you need larger firewall capabilities, you should try pfSense. Or Cisco/Juniper alternatives, BTW, I don't believe that Vyatta's VPN solution is good enough other than for Site-to-Site VPNs.

Thanks,

chava20 7 posts	23 Feb 2010 at 3:24 p.m. UTC Hi, Can someone recommend cisco routers support site to site VPN. I already have a ASA but am looking to purchase some cisco routers to support multiple sites. Thanks in advance
laith43d 109 posts	23 Feb 2010 at 4:03 p.m. UTC 815-VPN, is the cheapest Cisco router that supports IPsec site-to-site, ASA5505 is cheaper that 815-VPN. Vyatta, either hardware appliance or software is cheap, you can install it on old i386 or even micro-computer. In regards to server side, you can use ASA5510, or a crypto module with 3845 or 7200, I don't know if there are cheaper options, that what we used to use. Cheers,
chava20 7 posts	23 Feb 2010 at 8:07 p.m. UTC I meant for teh remote hardware end I 've used a 2851 to an ASA just wanted to know if anyone knew of other perhaps more cost effective hardware models
dantel 36 posts	24 Feb 2010 at 2:53 a.m. UTC I think something to consider is how much traffic you'll be putting across this. I have a 2801 router that also has the crypto co-processor hardware in it and when we push toward 15Mbps of VPN traffic through the router, it is very processor bound. If you are not going to move that much traffic then a budget router will be fine. Why though do you need the router? as laith43d mentioned, the 5510 is an option and I think ASAs are optimized to handle more VPN traffic than a budget router but that's just my opinion - an ASA 5505 also seems to handle some of my site to site traffic fairly well and that was way less than $1,000.
chava20 7 posts	24 Feb 2010 at 2:48 p.m. UTC Excellent point, I already have a 5510 on the server side I will look into the asa5505. My familiarity with configuring the routers is better than ASA but always room to learn. Thanks guys.
laith43d 109 posts	24 Feb 2010 at 4:30 p.m. UTC You welcome :)
Pervis 6 posts	25 Feb 2010 at 4:18 p.m. UTC In setting up site-to-site VPNs, you'll also want to consdider what type of tunnel you'll be using as it will have consequences on your hardare. For a basic IPSec VPN, the opinions above are correct that routers or ASAs will work fine. But if you are looking for features such as VTI or GRE over IPSec, these are only supported on the router platform. If this is for internal business VPNs, I would strongly lean towards using either VTI or GRE over IPSec because of the added flexibility that they provide. In terms of hardware, 2800/2900 or 3800/3900 series routers should be fine, as long as they are sized to your environment. You can reference Table 12 on the following page to check IPSec performance on the 2800 platform. Unfortunately I have been unable to find a similar table for the 3800 series platform. http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80169bd6.html
ciscocrank 28 posts	27 Feb 2010 at 1:47 p.m. UTC laith43d Vyatta :- is it support bandwidth controll for tunnel
laith43d 109 posts	27 Feb 2010 at 3:55 p.m. UTC Yes, it is supported.
ciscocrank 28 posts	13 Mar 2010 at 12:05 p.m. UTC hi MR laith43d vyatta is good option for vpn but I got a problem :- how I can disable muliple login from diffirent PC using the same user acount in vpn access server thank you
laith43d 109 posts	13 Mar 2010 at 7:29 p.m. UTC what VPN configuration do you use? what VPN type? what version of Vyatta?
ciscocrank 28 posts	15 Mar 2010 at 9:08 a.m. UTC Version : VC5.0.2 VPN type remote access with local account athentication File Attachments vpn.txt
laith43d 109 posts	15 Mar 2010 at 10:52 a.m. UTC BTW, you do not need any "outside-nexthop 10.0.88.1", you just need to configure a default gw via a static route. e.g: set protocols static route 0.0.0.0/0 next-hop x.x.x.1 I have identical configuration using pptp, no problems at all, anyway, l2tp implementation for Vyatta is so buggy, for example, try to connect to the same machine with two different clients, it is not possible, i.e. it does not allow more than one login per session. In regards to this issue, you can refer to the huge amount of discussions on Vyatta.org/forum site about this particular topic. PPTP is feasible, its newer version is secure enough for small to medium businesses, if you need larger firewall capabilities, you should try pfSense. Or Cisco/Juniper alternatives, BTW, I don't believe that Vyatta's VPN solution is good enough other than for Site-to-Site VPNs. Thanks,