Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Expanding VPN ocerseas 1

Status
Not open for further replies.
NETING

NETING

IS-IT--Management
Joined
Jan 13, 2004
Messages
37
Location
US
I am a newbie who finds himself in the FIRE of a new position as Network Engineer. We have three offices who interconnect(WAN)with each other via IPSEC VPN tunnels established at the Firewall level. The firewalls at all three sites are Nokia IP330's running checkpoint NG AI. This solution has been working great for us here in the United States.
The company now wants to bring in the United Kingdom office, as well as our Hong Kong office as part of our WAN. My question is what solution would be the most logical solution (Point to Point VPN, Frame Relay, ATM) for expanding our WAN accross the ocean with good performace yet at a reasonable price? We did setup a tunnel(not a point to point) between our office here in New York(Nokia IP330 running Checkpoint NG)to our office in the UK(Symantec 200r) and the performance was not that great. Am i correct in thinking that setting up a point to point is one of our top options. Thanks in advance for all your help as I really do greatly appreciate it in this time of stress.

NetIng
 
Sort by date Sort by votes
First thing......................
Verify the product(s) you want to use are not on the restricted export list.

Rick Harris
SC Dept of Motor Vehicles
Network Operations
 
Upvote 0 Downvote
Site to Site VPN should be the first option...least costly solution. You should never use different hardware for VPN, it causes difficulties in setup and performance (as you have seen.)
Get everyone on the same firewall/vpn appliance (and same software revision too!) and you will only see a performance hit if the traffic reaches your maximum bandwidth. (Of course you cannot violate export restrictions, so have the local offices buy local versions of the same model.)

Alex
 
Upvote 0 Downvote
I disagree with the compatibility worries stated above, I have configured many VPNs from multiple hardware vendors, Cisco, Nortel, Linksys, Draytek, Checkpoint to name a few. As long as the IPSec parameters are configured correctly you will have no problems, this allows you greater flexibility in chosing hardware for remote sites (there is little need in buying an IP440 for remote office with 5 people in it!). VPN response times vary a lot, but as long as the applications can handle long latency it is by far the cheaper and most scalable option for you.
 
Upvote 0 Downvote
I was not clear in my previous post, it is much easier to configure a Symantec 200R, Velociraptor, and SGS to VPN than when using a mix of different manufacturers. Pick one company but choose an appliance sized for each location...they usually have similar software and treat the AES/3DES encryption the same. This means you save time setting up (and standardization is a good thing.)

Alex
 
Upvote 0 Downvote
I little note that is not technical is that if Hongkong has the same rules as the rest of China, don't send the VPN boxes to your office. Buy them in China.
We are going to open an office in China in a few months and we got that advice from our people that are already in China.

About connecting different types of VPN boxes. I have to aggree with the statement about not mixing too much different hardware/software.
We mostly use SonicWall for VPN, but we still have around 15 SEF's. We have had big problems in connecting to customers that use Cisco PIX and Cisco VPN boxes. Got it to work on SEF but are still trying on SonicWall

If I had the money for it I would change all of our 120 FireWalls to Nokia

/johnny
 
Upvote 0 Downvote
Thank you all for your responses. All responses are being taken into consideration.

We currently have a vpn connection to our 2 sites in the UK. Through our testing we have found, believe it or not, that the performance from our NOkia to NOkia boxes are more stable and flexible as far as managment then the scenario of having a different vendor on one end than the other***at least when going overseas***.

Ok..I am sticking to the same vendor as we are moving to globalize our comany and from a mangment perspective it will be easier. The core of my question still remains. It is to find out if it would be fesable to go with a site to site (tunnel)with a T1 on one end and an E1 in the UK for the other end, as opposed to a point to point or dedicated line as some would call it, across the atlantic. And does the same hold true for Hong Kong (site to site or private leased line ...point to point...)?

I am definitly making progress with all of your help...
NetIng
 
Upvote 0 Downvote
It is cheaper to VPN site-to-site than to rent dedicated lines and the technology is almost the same. The only difference is who does the tunneling...they don't string a fibre cable across just for you.

I have three stateside, one Germany, one France, and one Taiwan location all VPN'd together using Symantec 200R, Velociraptor, and SGS depending on the office size. The only reported error has been bandwidth limit at the primary site (where the SGS has four constant site-to-site VPN tunnels, thirty remote clients, a hundred or so LAN users and two intermittent site-to-sites) can cause slow traffic.

Alex
 
Upvote 0 Downvote
AlexIT....So what have you done to take care of the slowdown in trafic. This sounds like an issue we may run into..?
 
Upvote 0 Downvote
Make sure you have suficient bandwidth at the primary location. In our case the problem was resolved changing from asynch to synchronous connection and increasing to 2Mb cable at this location. The other sites remain asynch at 2Mb down/768kb up. We also are doing database synch at off-peak and the connections work periodically for X.400 connections between mail servers, and the forest/tree Windows issues. The other issue was file transfer, but with time differences this only pops up for two hours twice a day or so. Plan for a file location you can place the needed info and only allow users to upload there instead of across the VPN. If you make a public folder in Exchange and have the users post files for transfer there, this area can be synched between servers at off-peak times. Most of the time the "need it right away" can still wait until the next morning. One really important item, when I send a big attachment to 10 people via SMTP it actually goes out 10x, but the same attachment to 10 people via X.400 only goes once! You sometimes find a big bandwidth savings just by getting the Exchange servers talking...

Alex
 
Upvote 0 Downvote
Hey AlexIT

At the primary site which is our datacenter we have two T1 lines. (3mb). I think that should do..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
1K
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question Question
Best vpn safe and fast
Replies
4
Views
1K
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question Question
How to Create an site to site VPN
Replies
1
Views
896
sircles
sircles
ramblingrebel
  • Locked
  • Question Question
Built-in Windows 10 VPN
Replies
1
Views
931
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
852
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top