Network Management Strategies for the CIO
Requires Free Membership to View
Well -- let's see. First, you will need two static, publicly routable IP addresses (one per site). If you're using basic ADSL, it's likely that the ISP will dynamically assign you an address via DHCP each time you connect. This won't work because each time the sites change address, they won't be able to find each other. So, make sure your ISP provides you a dedicated (non-changing) public address. There may be a surcharge for this.
You will also need to know if the DSL requires PPPoE (point-to-point protocol over Ethernet). If so, then make sure that your VPN/firewall is able to terminate PPPoE. Otherwise, you'll need to use one of your PCs as the Internet gateway device so it can terminate PPPoE with software provide by the ISP. This gets pretty messy. Your ISP should be able to tell you what firewall/VPN appliances work with their service.
If you want to have multiple machines at each location, make sure your firewall supports Internet connection sharing (ICS). Almost all do, but it's good to check.
Some protocols like IPsec don't traverse NAT well. If you're working with publicly routable addresses for both your VPN devices, you won't have any problems with NAT. On the other hand, if you're working with private addresses that are being NAT'ed by another firewall or by the ISP, you'll need a VPN device that can encapsulate the IPsec inside TCP or UDP to get through the NAT.
One last note, TCP/UDP encapsulation chews up processing power, causing devices to perform 50% slower than with pure IPsec. So, if you need to use TCP/UDP encapsulation, you may want to upgrade the VPN/firewall appliance to one a little more powerful.
Good luck,
Mark
This was first published in June 2002
Join the conversationComment
Share
Comments
Results
Contribute to the conversation