Site-to-Site VPN | How to do it?

[chakraps]

I'm at a tiny consulting firm where I've volunteered to help out with a particularly demanding customer. We hit a stage where we need VPN access to their network. Just 2-3 users from our side and was expecting 'Remote Access' VPN. But customer came back asking for our VPN configuration to setup a site-to-site. None of us are network experts. And the customer is insistent on doing site-to-site. I spent half of today researching what our options are:

1. Setup VPN within our premise and share config details with customer
   1. We have an Asus RT-N66U. Advertises some VPN capabilities. Is it a good place to start?
   2. What is a fast/easy way to try implement this?
   3. All I need is the counterpart to connect to an existing site
2. Setup VPN on Amazon AWS and share config details with customer
   1. This gave me the idea -- http://michaelwasham.com/2013/09/03/connecting-clouds-site-to-site-aws-azure/
   2. I have some basic experience bringing up and configuring EC2 instances

Our Constraints:

1. This needs to be done fairly soon.
2. We need to pick a solution that is not too complex. One that we can maintain ourselves down the line.
3. Prefer to try implement it with what we have. I don't think our usage is going to warrant expensive solutions.

Extra Information:

Details they need from us are (extrapolating what they sent us, their values marked in orange):

1. Gateway Device = they use McAfee Sidewinder Firewall
2. Peer IP Address
3. Protected Network / Subnet Mask
4. Port and Protocol = 3389
5. Data Direction = Both
6. Pre shared key
7. IKE V1 Exchange Type / Mode = Main Mode
8. Encapsulation Type = Tunnel
9. Phase I DH Group = DH Group 2
10. Hash Algorithms = SHA-1
11. Phase I Encryption = 3DES
12. Phase I Life time (seconds) = 86400 (1440 Minutes)
13. Phase II Encryption = 3DES
14. Phase II Authentication = SHA1
15. Phase II Life time (seconds) = 3600
16. Use PFS = NO

I'd appreciate your insight/advice on things I could do to get this going within our constraints.

 

[lif_andi]

Best thing for you to do would be to get a VPN client, some kind of IPSec client, and use it to gain access to their network. No need for site to site if its only you who need access to their network.

 

[chakraps]

Best thing for you to do would be to get a VPN client, some kind of IPSec client, and use it to gain access to their network. No need for site to site if its only you who need access to their network.

Could you please suggest VPN/IPSec clients we could use in this case. Connection parameters listed on the first post under Extra Information is what we get from customer end.

I guess in previous instances all we had to do was punch in gateway address, username and password in a VPN client and it started working. But I assume those were Remote Access connections and what we dealing with now is slightly different.

 

[cubby1223]

Having tried various free ipsec clients, they usually don't work, in one case gave my system a bsod during install & had network connectivity issues for some time afterwards even after the software was uninstalled.

thegreenbow software has always worked fantastically, but it'll cost you a bit to purchase it.

 

[chakraps]

Thank you lif_andi and cubby1223 for opening my eyes to IPsec VPN clients. Browsed through TheGreenBow. Good information on their site. We'll talk to the customer & see if this will be acceptable to them.

In TheGreenBow, I notice configuration deals with IKE and IPsec as expected, but there is also something related to X-Auth requiring username & password. Is it compulsory to have username/password even if we have already provided pre-shared key?

The one point they kept insisting on is they will not issue any username & password (like is needed with common VPN clients).