VPN Suggestions

[stevewm]

Let me explain a little first before I get to my question....

I work for a local chain of hardware/home center stores. There are currently 3 stores, with a 4th in the planning stages.

The server (located at Store 1) for the point of sale/inventory/store management system we use requires all the client PCs (WinXP machines running the client software) to have static IP addresses in the 192.168.x.x range.

Store 1 has a 1.5mbps SDSL connection
Store 2 is connected to Store 1 via Frame Relay
Store 3 has a 3mbps fixed wireless connection. Its connected to store 1 via a VPN tunnel between 2 WatchGaurd Soho routers.

Store 2 is going to be switched to the same fixed wireless service store 3 has. We'll have to use a VPN tunnel to get connectivity to Store 1. The WatchGaurd routers we are using now only support a single VPN tunnel and cannot be upgraded.

When store 4 is finished a VPN tunnel will have to be setup from it to Store 1 as well.

I'm looking to replace EVERYTHING. I'd like to have a "star" setup with Store 1 having the "main" router, with a VPN tunnel going to the router at each store.

Router at Store 1 needs to support at least 5 VPN tunnels. The routers at the satellite stores only need to support a single tunnel. And each router needs to support 25 or more "users" (the WatchGaurd routers we have now only support 10 users accessing the external network which we exceeded long ago, external network access includes the VPN tunnel and internet access. Costs a arm and a leg to upgrade these things to 25 users)

Anyone care to make some suggestions on what company/manufactuer to look into?

 

[wlee]

Have a look at the Symantec/Nexland Routers. They work with SDSL and much less $$$ than the Watchguard as there is no per user license fee. You can buy them direct from Nexland or from vendors like CDW

 

[stevewm]

Originally posted by: wlee
Have a look at the Symantec/Nexland Routers. They work with SDSL and much less $$$ than the Watchguard as there is no per user license fee. You can buy them direct from Nexland or from vendors like CDW

Thanks for the recommendation. I'll look into it.



Anyone else have some suggestions?

 

[Tallgeese]

Is the inventory management app the only traffic that will be flying over the VPN, or will other application traffic be traversing it as well?
Will you be using 3DES encryption or no?

Am assuming you want the firewall devices at your stores to terminate the VPN tunnels.
That is, the PCs at each store will not just be using individual VPN Passthrough mode through the firewall devices.

If so, the remote store devices will only need to support 1 peer connection each (with Store 1)
Store 1's VPN termination device will need to support more than 1 simultaneous tunnel (3 simultaneously, once Store 4 opens).

Not sure if the Symantec devices themselves can temrinate more than 1 simultaneous peer tunnel (NOT passthrough mode). That would be a showstopper for you at Store 1.

PIX 506 (no user counts) would work nicely for Store 1, altho a bit pricier than the Symantec boxes. PIX 501s then at each remote store (user counts, tho)

Also....good idea to try to stick w/ 1 vendor when dealing with VPN (for those tuning in).
MUCH less chance of interoperability problems that way.

 

[stevewm]

Originally posted by: TallGeese
Is the inventory management app the only traffic that will be flying over the VPN, or will other application traffic be traversing it as well?
Will you be using 3DES encryption or no?

Am assuming you want the firewall devices at your stores to terminate the VPN tunnels.
That is, the PCs at each store will not just be using individual VPN Passthrough mode through the firewall devices.

If so, the remote store devices will only need to support 1 peer connection each (with Store 1)
Store 1's VPN termination device will need to support more than 1 simultaneous tunnel (3 simultaneously, once Store 4 opens).

Not sure if the Symantec devices themselves can temrinate more than 1 simultaneous peer tunnel (NOT passthrough mode). That would be a showstopper for you at Store 1.

PIX 506 (no user counts) would work nicely for Store 1, altho a bit pricier than the Symantec boxes. PIX 501s then at each remote store (user counts, tho)

Also....good idea to try to stick w/ 1 vendor when dealing with VPN (for those tuning in).
MUCH less chance of interoperability problems that way.

POS transactions will be going over it most of the time. There will be alot of database queries and reports too but the amount of data returned is small. The largest amount of traffic the VPN tunnels at each store would have to handle is the 5MB offline data update that each POS terminal at every store runs every night. And the 15MB update the runs once a month.

The configuration you described is EXACTLLY what I'm looking to do

Good encryption over the VPN tunnel would be a plus, credit card transactions will be going over it.

I looked into the Symantec stuff, IPSec passthrough only.

I'm also aware from experience that its best to stick with a single vendor when doing VPN, thats why I plan on replacing the routers at each store.

User limits are not so bad as long as each router supports at least 25 users. One of the stores will never have that many terminals. Store 1 has 15 currently, Store 2 has 10, with 2 more planned and Store 3 has 11.

Well I'll look into what Cisco offers but from what I remember Cisco equipment tends to be a bit on the pricey side. Was hoping to spend no more than $300 at each store.

Keep the suggestions coming!

 

[Tallgeese]

Originally posted by: stevewmPOS transactions will be going over it most of the time. There will be alot of database queries and reports too but the amount of data returned is small. The largest amount of traffic the VPN tunnels at each store would have to handle is the 5MB offline data update that each POS terminal at every store runs every night. And the 15MB update the runs once a month.

No prob supporting this then, assuming you really mean SMALL for the POS data and queries. Might not hurt to sniff some representative traffic and just run the numbers. You've got a good start on this regardless, and your thinking seems on target.

Good encryption over the VPN tunnel would be a plus, credit card transactions will be going over it.

Just make sure 3DES throughput is still up to snuff for your traffic's bandwidth requirements.

I looked into the Symantec stuff, IPSec passthrough only.

Thought so. VPN Passthrough vs. VPN Termination seems to be one of the primary features separating lower-end from higher-end equipment. It's also a feature that costs $$$.

I'm also aware from experience that its best to stick with a single vendor when doing VPN, thats why I plan on replacing the routers at each store.

Sounded like you did from your original posts. A few of us around here just like to reiterate that point whenever possible with certain technologies (like VPN) to all the folks tuning in.

User limits are not so bad as long as each router supports at least 25 users. One of the stores will never have that many terminals. Store 1 has 15 currently, Store 2 has 10, with 2 more planned and Store 3 has 11.

Definitely an important feature, since it can end up being a thorny "hidden charge" for some folks if they aren't careful.

Well I'll look into what Cisco offers but from what I remember Cisco equipment tends to be a bit on the pricey side. Was hoping to spend no more than $300 at each store.

Might get away with <$300 at remotes, but prolly not at Store 1 for what you want to do.

And you are right, Cisco tends to be a bit pricey. In certain applications, tho, that extra money is well spent, particularly for Cisco's SUPERLATIVE tech support, which can be an absolute lifesaver when configuring a VPN layout like what you describe. My experience at times has shown that lower-priced vendors don't necessarily skimp on the hardware side...they skimp on the support they can/will offer to customers.

All that being said...why not stay with your current Watchguard equipment? That is, unless you hate it or something.
Maybe something like this:

ADD Firebox III 700 at Store 1
ADD Firebox SOHO 6tc at Stores 4
MOVE existing Firebox SOHO from Store 1 to Store 2
LEAVE existing Firebox SOHO at Store 3 (now I am assuming those existing Firebox SOHOs can terminate a VPN tunnel, since you mentioned they are doing that now between Store 1 & 3)

Each SOHO is configured to tunnel with the Firebox 700 at Store 1.
Firebox 700 is configured to tunnel with each SOHO.
You leverage existing hardware (saving $$$).
Still some room to grow on the 700 (you just never now...acquisition, expension, etc.)

 

[stevewm]

ADD Firebox III 700 at Store 1
ADD Firebox SOHO 6tc at Stores 4
MOVE existing Firebox SOHO from Store 1 to Store 2
LEAVE existing Firebox SOHO at Store 3 (now I am assuming those existing Firebox SOHOs can terminate a VPN tunnel, since you mentioned they are doing that now between Store 1 & 3)

Each SOHO is configured to tunnel with the Firebox 700 at Store 1.
Firebox 700 is configured to tunnel with each SOHO.
You leverage existing hardware (saving $$$).
Still some room to grow on the 700 (you just never now...acquisition, expension, etc.)

The Firebox SOHO's we have now are in fact SOHO|tc's. They will terminate 1 VPN tunnel (5 with a $350 upgrade key)

The SOHO at Store 1 has a 25 user limit (no problem there, only 15 terminals) while the one at Store 3 has a 10 user limit, but there we have 11 terminals, 11th one cannot be used currently. To upgrade it you must purchase a feature key. $190 is a bit pricey for a damned serial #! I was hired after store 3 was setup with the WatchGuard routers. A local mom&pop ISP set them up. I would have never have chosen WatchGuard had I orginally setup the store network. The only upside to them is that they already do 128-bit 3DES ecryption via a hardware ASIC.

I was hoping to get away from the WatchGuards because of the pricey upgrades and the fact you have to purchase a yearly subscription to their LiveSecurity service to get updates, critical patches, tech support, and to be able to redeem feature/upgrade keys! But from the looks of it other companies are no different.

I'll probably just purchase the addtional WatchGuard equipment and just take the upgrade and subscription costs but more suggestions are welcome

EDIT: Just finished looking into addtional WatchGuard equipment. Firebox 700 is $1,999 and the SOHO|tc boxes with a 10 user lisence are $479! Add another $190 onto that to get 25 users. Thats a bit on the pricey side!

 

[Tallgeese]

Originally posted by: stevewm
EDIT: Just finished looking into addtional WatchGuard equipment. Firebox 700 is $1,999 and the SOHO|tc boxes with a 10 user lisence are $479! Add another $190 onto that to get 25 users. Thats a bit on the pricey side!

MAN! You ain't whistlin, brother. Altho I'm not sure you'll find prices much below that from other vendors (decent vendors, that is). Heck...for that you aren't too far out of the ballpark of entry-level PIXs (if you so desired), especially if you got hold of a hungry rep desperate to close a sale.

 

[stevewm]

After seeing all the high prices and expensive lisencing schemes on "business class" equipment I went out; and on a impluse buy bought a Linksys BEFVP41. It supports up to 70 VPN endpoints using a hardware co-processor. Also uses the same 3DES encryption the WatchGuards we have now do.

Took our system offline, swapped the Linksys router in replacing one of the WatchGuards. I configured a new tunnel on the Linksys and copied all the settings over. Clicked Connect, and Success! It connected correctly to the WatchGuard at Store 3 on the first try

So now we have the ability to create 70 VPN tunnels (will never need that many) no addtional liscencing fees to use all the features, and no user limits! All for $125 instead of $1,999!

The Linksys has performed flawlessly for nearly 2 days now. I'll be using another BEFVP41 soon as we begin setting up the network in Store 4 I also plan on replacing the 10 user WatchGuard at Store 3 with a BEFVP41.

 

[wlee]

The BEFVP41 isn't well suited to handle SDSL. They would be fine for the satellite stores. You should get something a with a little more power. If you don't like the Symantec boxes( which *DO* terminate the VPN, not just pass-through), then have a look at something like the Zyxel Zywall 10. Zywall 10 from Buy.com

 

[Tallgeese]

Originally posted by: wlee
the Symantec boxes( which *DO* terminate the VPN, not just pass-through)

You're right...they do support VPN termination. We mixed that up earlier in the thread.
However, the bigger question was whether the lowest-end Symantec units could terminate more than a SINGLE VPN connection simultaneously (remember, he wants to stay with a single vendor). I couldn't find anything that definitively answered "yes" to that question.

 

[Tallgeese]

Originally posted by: wlee
You should get something a with a little more power.

You do mean "for Store 1," when you say this, correct?
If so, I agree. A Linksys device terminating 3 VPN tunnels? Whew...not sure I would sleep all that well with my VPNs depending on such a device.

That said...the price difference is HARD to ignore!

 

[stevewm]

Originally posted by: wlee
The BEFVP41 isn't well suited to handle SDSL. They would be fine for the satellite stores. You should get something a with a little more power. If you don't like the Symantec boxes( which *DO* terminate the VPN, not just pass-through), then have a look at something like the Zyxel Zywall 10. Zywall 10 from Buy.com

The VPN router itself does not have to handle the DSL line. Our DSL provider provides a 3com DSL modem for this purpose. Our provider gives us a static IP with no PPPoE bullshit. Anything with a uplink/wan port will work with it

I perfectly pleased with the performance on the Linksys so far. Transactions ran all day without a single hitch. As did all the overnight refresh runs. The Linksys is currently only handling a single VPN tunnel, when Store 2 switches to fixed wireless in October it will have to handle 2. Store 4 is still in the planning stages, construction will not start till next spring. And from the looks of it we may be stuck with another slow and expensive ($250/month, for each end ) frame relay for store 4. Doesn't look like the phone company is going to have DSL ready in time. (In Southern Indiana high speed connections are a hard thing to find.)

Anything over $600 would have put us over budget. So in the end I really had no choice. No one in the company really knows anything about computers, espcially networking. The Operations Manager couldn't justify paying that much for a box "that doesn't really do much but sit there" (his own words) He complained the router was going to cost more than the computer systems we buy. (about $400 more)

 

[Santa]

Well you did the smart thing and researched options and brought to the table the good players such as Cisco and let your manager decide from that point on.

Then you came up with an alternative which is much cheaper.

I would agree with TallGeese that it would be hard for me to sleep knowing a Linksys router was terminating a VPN tunnel and or SDSL line (which it is since it is the device directly connected to the NBR) but sometimes saving money may bring you better toys in the future.

Watch the traffic and reliability like a hawk because sometimes Linksys are known to have network hiccups and drop connectivity and this is why they are usually seen by professionals as home/consumer routers only.

Remember to note that comparing computer's and networking gear is like comparing apples to oranges. Ask him if one computer goes dead does that whole branch office cease to function? Easy to show that a device responsible for interoffice communication is more important than one loley computer.

 

[stevewm]

I've been watching everything closely. So far its working great. Not a single hiccup yet.

In the end the manager had to decide what to purchase. He is the one who authorizes such purchases. I tried everything to get him to get the addtional WatchGuard equipment.

I was well aware Linksys is considered a home/consumer level company.

It's better than having no VPN router at all!



I'm still searching for suggestions on in-expensive VPN equipment. So if anyone has any suggestions on a VPN endpoint router supporting at least 5 VPN tunnels for under $500 by all means post it here.

 

[L3Guy]

Look at the Netscreen. Its about $450 (for the smallest one and handles 10 VPN tunnels.
Unfortunately, not much experience with them yet.

HTH

Doug

I hate when I forget to spellcheck something.