Q

Preparing for site-to-site VPN

We are about to install a firewall/VPN appliance and connect a remote office in a site-to-site VPN scenario. We'll have a small business firewall/VPN device at the remote site as well, going over DSL. Is there anything I would need to be aware of prior to the setup? I vaguely remember reading in an article about some issues with NAT. Is there anything in particular I need to request from the ISP? Well -- let's see. First, you will need...

two static, publicly routable IP addresses (one per site). If you're using basic ADSL, it's likely that the ISP will dynamically assign you an address via DHCP each time you connect. This won't work because each time the sites change address, they won't be able to find each other. So, make sure your ISP provides you a dedicated (non-changing) public address. There may be a surcharge for this.

You will also need to know if the DSL requires PPPoE (point-to-point protocol over Ethernet). If so, then make sure that your VPN/firewall is able to terminate PPPoE. Otherwise, you'll need to use one of your PCs as the Internet gateway device so it can terminate PPPoE with software provide by the ISP. This gets pretty messy. Your ISP should be able to tell you what firewall/VPN appliances work with their service.

If you want to have multiple machines at each location, make sure your firewall supports Internet connection sharing (ICS). Almost all do, but it's good to check.

Some protocols like IPsec don't traverse NAT well. If you're working with publicly routable addresses for both your VPN devices, you won't have any problems with NAT. On the other hand, if you're working with private addresses that are being NAT'ed by another firewall or by the ISP, you'll need a VPN device that can encapsulate the IPsec inside TCP or UDP to get through the NAT.

One last note, TCP/UDP encapsulation chews up processing power, causing devices to perform 50% slower than with pure IPsec. So, if you need to use TCP/UDP encapsulation, you may want to upgrade the VPN/firewall appliance to one a little more powerful.

Good luck,
Mark

This was first published in June 2002

Dig deeper on Network Access Control

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close