Networking optimize

Simplified site-to-site VPN with Peplink

Derek Schauland demonstrates how the Peplink and Pepwave bonding routers that he's previously reviewed can be configured to allow site-to-site and IPsec VPN connections.

VPN connections are a requirement of doing business, but many devices for creating these connections require a significant investment in time and knowledge. In previous posts, I looked at two bonding routers, the Peplink Balance 380 and the Pepwave 700 Max, covering their link aggregation features. Being able to use more than one Internet connection within both an organization and from a mobile location is a great way to improve availability and connectivity.

Peplinks do VPN, too

In working with the link aggregation features, I found some additional features for creating VPN connections on both the Balance 380 and the Pepwave Max. These devices can be configured for the following types of VPN connection:

  • Site to Site: a connection between two Peplink routers, using the configured external IP address of each device and the serial number to ensure the link.
  • IPSec VPN: a connection between a software VPN client or non-Peplink VPN device (like a Cisco ASA)

IPsec isn't anything fancy

IPsec VPN connections from Peplink to other devices are pretty standard. The connection is aware of one interface and can only make use of the interface it knows about -- just like a VPN between two Cisco ASA devices. The web interface, shown partially in Figure A, is nice but that is the only thing that stood out when researching the device(s). Figure A

IPsec VPN configuration

Site-to-site

The site-to-site VPN connection is where the Peplink really stands out.  Not only are they extremely straightforward to set up, Figure B shows the PepWave site-to-site configuration screen. Figure B

Configuring a site-to-site VPN

Once the site-to-site connection is configured, the VPN part is complete and it behaves much like the IPsec type of VPN. Traffic is encrypted between the devices and access is available across the VPN. Where this type of VPN really becomes worthwhile is that the devices on both ends of the pipe can both support multiple WAN connections, and because both ends of the VPN may have multiple Internet links, the VPN can use any available Internet links for its connection.

There are caveats to this, in that there are VPN throughput limits which are less than the WAN link capabilities, but even with the limitations, link failover is a pretty nice thing to have. The table below outlines the Internet throughput and VPN throughput capabilities of the Pepwave Max 700 and the Peplink Balance 380 used in my blog posts.

Device

Internet Throughput Allowed

VPN Throughput Allowed

Balance 380 170Mbps 60Mbps
Max 700 Variable depending on connections Variable depending on connections

Bottom Line

Using site-to-site VPNs between these devices can provide options if an organization or users are considering adding multiple Internet connections. Allowing failover between multiple connections to keep a VPN connection to the office alive with little or no interruption to the user is really something to consider depending on the connectivity needs of the user. Because the devices can aggregate low to moderate cost Internet connections, it isn't something that will break the bank for anyone involved.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

1 comments
njcsamuels
njcsamuels

i'm looking for information regarding the aggressive mode option on ipsec. I'm hoping i could setup a connection for a home user with a dynamic ip. what woudl be required to do this? The peplink itself can do eevrything our normal firewall can. It adds functionality of wan failover with internal dns updates. I haven't seen this feature in most other devices.