Question

Locked

vpn over adsl

By silceski ·
hi
we have vpn network based on ipsec and cisco routers through dsl lines.
because of big cast of dsl lines, we want to replace branche office to use adsl lines, only head office to use dsl line.
adsl is with dynamic ip, dsl with static ip.
config is:
BRANCHn -- adsl modem -- internet -- ISP -- HQ
does anyone have solution for this???
BR

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

vpn over adsl

by martin.duffy In reply to vpn over adsl

Hi,

Have considerd turning your brach office into dial in client(VPN). Most newish ADSL modems come with a VPN section both client and server.

If not a lot of the older ADSL modems have upgrade paths where you can update firmware and do the same that way usual 99 bucks or something and in some of the cases the interface is exactly like being in EN mode on a cisco box.

So to sumarise your head office is static so this should become your contact point, and should recive and not initate connections. Your client/branch sites should initate the connection inward to head office and establish network to network VPN via your ADSL modem.

If the upgrade path does not work or your ADSL modem doesn't support VPN type thing you could look to do something like creating a really random weird rule for a ridiculously high port have the clients hit that and when you see the barred IP in the log upload a new config with allow VPN in. This has several drawbacks not just in f some probes your head office they could get allowed in. Not a great soloution but one that would work, otherwise you could have a process that does a tracroute from one of the clients in the brach office and mail the ouput to you that way you cath the external interface and you then modify the rules at head office. This will be cumbersome prone to error and pain in the backside.

So in closing I would go with seeing if the ADSL modems on brach sites ccan support a VPN connection and "dial out over IP", if they can't defacto upgrade firmware or get something that can dreyteck are a ADSL modem I have seen that do this but there are bound to be loads that do. I only included the other to show where there is a will there is always a way :-p.

Good luck and let us know how you get on.

M

Collapse -

Another option is to

by Dumphrey In reply to vpn over adsl

make sure you use soe of the newer cisco small office integrated gear in the brach office that will support dynamic dns, and replace ip addresses with dns names in you permanent vpn set up.

Collapse -

Try something like this

by NetMan1958 In reply to vpn over adsl

on your HQ router:

crypto ipsec transform-set standard esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set standard
!
crypto map mymap 150 ipsec-isakmp dynamic dynmap
!
crypto isakmp key yourkey address 0.0.0.0 0.0.0.0
!
interface Ethernet1
crypto map mymap

Of course you can use 3DES and SHA if you prefer as long as the routers at the branches use the same and replace yourkey with the actual key.

Collapse -

tunnel

by silceski In reply to Try something like this

hi,
there is some new moment about this problem.
i need control over PC in branch offices,
if i use solution in your post,
the i can not have remote control over PC's.
so i thing that the best solution is to create tunnel from branch to HQ, the to the tunnel to use ipsec.
something like this (only tunnel)
HQ router:
interface Tunnel 0
ip address z.x.c.v a.s.d.f
tunnel source Serial 0
tunnel destination branch1.com
interface Serial 0
ip address p.o.i.u q.w.e.r
where:
p.o.i.u q.w.e.r - dedicated by ISP
z.x.c.v a.s.d.f - private IP
branch1.com.mk - dynamic DNS

this (probably) will work only if i use adsl modem, not sure if i use adsl router. because if i use modem, cisco router in branch will be configure for PPPoE, thats mean that the cisco router will take dinamic IP.

what you think about this???

BR

Collapse -

Tunnel

by NetMan1958 In reply to tunnel

I don't have your complete config so I don't know if there is more configured than I see. Based on what I see, you aren't encrypting the traffic going over the tunnel. Also, since you are using "tunnel destination branch1.com" you will have to have some way of updating your DNS records when the ip address for the branch1 router changes. Here is a link to a tunnel config using encryption:
http://www.ciscoblog.com/archives/2006/08/vpn_virtual_tun.html

That said, you can use the dynmap config I suggested or the tunnel config and either way, once the tunnel/vpn is established you will be able to connect to PC's in the branch office. With my method, the branch office router has to initiate the vpn and then you can schedule a recurring job on one of the computers at the branch office to send some kind of traffic (such as a ping) to an ip address at the HQ in order o keep the tunnel up.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums