Designing a site-to-site virtual private network becomes more complex as the number of sites grows, particularly if some of those sites are in another country. Yet when budgets get lean, VPN becomes increasingly attractive compared to more secure, yet more expensive, point-to-point alternatives.

In response to our recent article, “Dealing with the growing pains of site-to-site VPN,” TechRepublic member Subash wrote to us asking for more information about international VPN schemes.

Subash is a network administrator for a company in Dubai, United Arab Emirates, and in this week’s From the Trenches, we’ll look at the challenge he faces in setting up an international VPN, as seen through the eyes of TechRepublic’s Lori Hyde.

Hub and spoke and a wheel of fortune
Hyde is TechRepublic’s systems administrator who oversees routing and LAN/WAN issues. In the earlier article, she described the trials and tribulations we have encountered connecting our hub-and-spoke VPN to our corporate parent, CNET.

Subash was interested in the earlier article because he has to design a VPN solution for his company, which includes offices in North America, Europe, and “the rest of the world,” which means he needs to implement a VPN between his home office and 15 other countries with a variety of Internet traffic qualities and a lack of static, public IP addresses.

Right now, he is getting ping times between 300 and 350 ms between Dubai and the United States.

Subash asked the following questions:

  • With all the hype about VPN, how mature is the technology?
  • Is VPN appropriate for multilocation companies like his without having point-to-point connections or a single ISP or carrier?
  • Is there a minimum or recommended bandwidth to the Internet for VPN?
  • What is a good design for site-to-site VPN? Hub to spoke? Spoke to spoke? A combination of the two?

The answers, please
A lot of bugs have been worked out of Cisco’s new Internetworking Operating System (IOS) levels in the past six months, Hyde said, reflecting the general state of VPN.

“Over the past year, it’s gone from something I wouldn’t recommend, unless you want lots of gray hair and sleepless nights, to something that I think can be reliably implemented,” she said of Cisco’s site-to-site VPN.

“We at CNET currently have VPNs all over the United States, Europe, and Australia. We’re now getting ready to implement VPN to China and other Asian countries,” said Hyde.

However, Hyde cautioned that when you’re designing an international VPN, the quality of your ISP connections becomes the constraining feature. You need to look at the following:

  • Reliability
  • Router hops
  • Latency

If you can choose your ISP, she said, then look for a Tier 1 ISP because they typically offer better service, bigger backbone pipes, and fewer router hops.

Ideally, you’d prefer a single carrier, but “in the real world, it isn’t going to happen. You’re not going to have just one carrier, and when going from country to country, that’s going to become more of an issue,” Hyde said.

Your first task is to characterize your current connections over a period of time, then look at the highs and lows along with the average transmission speeds.

“If you can maintain around 250 ms or less, site to site, you’re going to be okay,” she said. “If you get 300 ms plus, then you are going to have problems.”

At that point, you need to evaluate your ISP and see where the latency is coming in. If you can’t get better than 300 ms, you need to consider using Cisco VPN Concentrators (or comparable equipment from another vendor) on either end of the lagging stretch of the connection.

Concentrators are very fast and reliable, Hyde said, but they increase the cost of the project because they don’t do routing; they only do VPN.

While speed helps make a VPN connection work well, there is no minimum recommended bandwidth, she said. You should look at the following:

  • Number of users
  • Types of applications
  • Projected traffic
  • Encryption overhead

Another ISP consideration is that VPN requires a static IP address at each end of the connection. If your ISP can’t provide that, she said, you really need to look at another ISP or negotiate seriously with the one you have.

Making a plan
When designing a site-to-site VPN, it’s helpful to look at the hub-and-spoke analogy. Typically, the hub will be where the most resources are located (such as a corporate or regional headquarters).

Meanwhile, the simplest design for a site-to-site VPN doesn’t even use the hub part of the analogy. It is simply a spoke-to-spoke design. In actuality, you can have a couple of spoke-to-spoke connections with perhaps all of the spokes emanating from one location.

Realistically, however, when you add more than one spoke, you often need the locations at the end of multiple spokes to speak to each other. This is accomplished by using the home office as a hub.

The hub allows all the spokes to use the resources at the main office and also routes traffic to different spokes while maintaining a central control point for maintenance issues.

If there are only a few spokes in the entire VPN, the hub can be set up to use IPSec with static routes. Because static routes have to be changed manually, when a VPN is larger it becomes harder to keep up with maintaining the routing tables.

Get insights From the Trenches

You can learn quite a bit by reading about the methods other administrators and engineers use to resolve challenging technology issues. Our hope is that this column will provide you with unique solutions and valuable techniques that can help you become a better IT professional. If you have an experience that would be a good candidate for a future From the Trenches column, please e-mail us. All administrators and their companies remain anonymous in this column so that no sensitive company or network information is revealed.

Multiple-spoke VPNs should use IPSec with dynamic routing via GRE tunnels (Generic Routing Encapsulation tunnels, which pass dynamic routing information). This way, the maintenance of the routing tables is automatically updated when changes are made.

If the distance between your home office hub and the other countries is large, and you also have regional offices with satellite offices nearby, you may want to use a modified hub-and-spoke design. With this type of design, you have a main hub at the home office, and then you have a link to smaller hub sites. From each or all of the hub sites, you can have spoke connections.

Subash, who has 15 countries to cover, could arrange to have a main hub, two minor hubs, and four spokes with each of the hubs. Administrating each hub with four spokes would be easier and more efficient. And, with shorter spokes, the ping times should be shorter.

The next question in the design is whether your VPN will have fail-over protection through a mesh or partial mesh design. In a mesh design, every spoke has at least two connections, possibly from two separate ISPs. That way, if there is an ISP or router failure on one line, the traffic is transferred to another line.

In a partial mesh design, the extra connections are made between the most important points. In Subash’s case, he might double up on the connections between his hubs so all of them are connected in a big triangle. Even if both links went down between two points, there might still be a way for everyone to remain connected via the remaining legs of the triangle.

Getting the most out of your site-to-site VPN takes some planning, but most problems can be minimized or eliminated when you consider all the design options in the hub-and-spoke scheme.

Do you have an international VPN?

What does your VPN schematic look like? Are you hopping borders or circling the globe? What has been your experience with VPN? Post a comment in the discussion below.