Problem solve Get help with specific problems with your technologies, process and projects.

Preparing for site-to-site VPN

We are about to install a firewall/VPN appliance and connect a remote office in a site-to-site VPN scenario. We'll have a small business firewall/VPN device at the remote site as well, going over DSL. Is there anything I would need to be aware of prior to the setup? I vaguely remember reading in an article about some issues with NAT. Is there anything in particular I need to request from the ISP?
Well -- let's see. First, you will need two static, publicly routable IP addresses (one per site). If you're using basic ADSL, it's likely that the ISP will dynamically assign you an address via DHCP each time you connect. This won't work because each time the sites change address, they won't be able to find each other. So, make sure your ISP provides you a dedicated (non-changing) public address. There may be a surcharge for this.

You will also need to know if the DSL requires PPPoE (point-to-point protocol over Ethernet). If so, then make sure that your VPN/firewall is able to terminate PPPoE. Otherwise, you'll need to use one of your PCs as the Internet gateway device so it can terminate PPPoE with software provide by the ISP. This gets pretty messy. Your ISP should be able to tell you what firewall/VPN appliances work with their service.

If you want to have multiple machines at each location, make sure your firewall supports Internet connection sharing (ICS). Almost all do, but it's good to check.

Some protocols like IPsec don't traverse NAT well. If you're working with publicly routable addresses for both your VPN devices, you won't have any problems with NAT. On the other hand, if you're working with private addresses that are being NAT'ed by another firewall or by the ISP, you'll need a VPN device that can encapsulate the IPsec inside TCP or UDP to get through the NAT.

One last note, TCP/UDP encapsulation chews up processing power, causing devices to perform 50% slower than with pure IPsec. So, if you need to use TCP/UDP encapsulation, you may want to upgrade the VPN/firewall appliance to one a little more powerful.

Good luck,

This was last published in June 2002

Dig Deeper on WAN technologies and services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.