Posted: 1/20/2017 1:04:40 PM EDT
|
Trying to set up a VPN for one of my work divisions in the uk to access servers here.
After going back and forth with the UK and our vendor who was going to provide a VPN router, I find out our UK division is using an rj11 connector (ADSL connection) so the VPN router is out. I was told by our vendor firewall to firewall is problematic internationally, does this sound correct? Anyone have any other ideas? |
|
Quoted:
I was told by our vendor firewall to firewall is problematic internationally, does this sound correct? Anyone have any other ideas? It could be depending on latency. By "firewall to firewall" I assume you are talking about an IPsec tunnel. Right? What equipment are you using? Cisco? Juniper? |
|
No, I do it all the time. They need a static IP on the DSP and they need a modem only, or set the router in pass-through mode, so you can bind the public IP to your VPN end point.
edit; By that I mean your VPN router sits behind your dsl equipment. If you have a NAT router in front of your VPN router, you will have issues. |
|
Quoted:
It could be depending on latency. By "firewall to firewall" I assume you are talking about an IPsec tunnel. Right? What equipment are you using? Cisco? Juniper? I'm going to assume they meant ipsec, yes. Would the latency issues be compounded by the fact that they are on a 50mb down ADSL/vdsl connection? I was under the impression that this division just got a fiber connection so I can't understand how/why they are still using rj11. I guess the fiber connection they setup was not all the way to the facility. Equipment I'm unsure, the firewall for our mpls is elsewhere. I'm trying to do some additional research as my it resource is stumped on this one. |
|
Quoted:
Trying to set up a VPN for one of my work divisions in the uk to access servers here. After going back and forth with the UK and our vendor who was going to provide a VPN router, I find out our UK division is using an rj11 connector (ADSL connection) so the VPN router is out. I was told by our vendor firewall to firewall is problematic internationally, does this sound correct? Anyone have any other ideas? Sounds like others have it covered. Your vendor is incorrect and you have several ways to establish an ipsec tunnel terminating on a network device either here in the US or on devices running in AWS for example. As long as network traffic is flowing you can establish a tunnel from an appliance, firewall for example. I set them up all over the world, including in china and russia over shitty links including sats. and have no problems. |
|
Quoted:
No, I do it all the time. They need a static IP on the DSP and they need a modem only, or set the router in pass-through mode, so you can bind the public IP to your VPN end point. edit; By that I mean your VPN router sits behind your dsl equipment. If you have a NAT router in front of your VPN router, you will have issues. I suggested the VPN router being placed after the ADSL router but was told we'd have issue. I guess ADSL requires "dial up?" Is pass through essentially bridge mode? So from the wall: DSL equipment, VPN router, NAT router? Learning this on the fly so forgive me. |
|
Quoted:
I'm going to assume they meant ipsec, yes. Would the latency issues be compounded by the fact that they are on a 50mb down ADSL/vdsl connection? I was under the impression that this division just got a fiber connection so I can't understand how/why they are still using rj11. I guess the fiber connection they setup was not all the way to the facility. Equipment I'm unsure, the firewall for our mpls is elsewhere. I'm trying to do some additional research as my it resource is stumped on this one. If its business critical you could take a look at wan opt solutions, I use Riverbed's on shittier links and get good results. Obviously dedupe requires traffic hit the wanopt prior to being encrypted (generally). What you put in the link matters, is it latency sensitive, will it tolerate lower mtu from being in a tunnel. Some stuff doesn't tolerate being fragmented or flips a DF bit which causes problems. Stream video , no, transfer edi data or something, sure. |
| I prefer using Cisco anyconnect clients + 2 factor or VDI. Works great from Russia, China etc. and you don't have to mess with client side hardware, firewall rules, people who don't know what cable to plug in.....all in a different timezone with various levels of English proficiency. |
|
Quoted:
I prefer using Cisco anyconnect clients + 2 factor or VDI. Works great from Russia, China etc. and you don't have to mess with client side hardware, firewall rules, people who don't know what cable to plug in.....all in a different timezone with various levels of English proficiency. Most of mine are also routing phone traffic through the tunnel between PBXs anymore, so I an usually required to deal with the great local help there. 
I even label the hardware I send out and send pics of it in place at my office during testing. Somehow, they find a way to mess it up. |
|
Quoted:
I prefer using Cisco anyconnect clients + 2 factor or VDI. Works great from Russia, China etc. and you don't have to mess with client side hardware, firewall rules, people who don't know what cable to plug in.....all in a different timezone with various levels of English proficiency. Forwarded this to my it as well, thanks for the rec. |
|
Alright, it looks like you are getting good advice from others.
The ADSL is not ideal, but should work. You still might want to check latency on an trans Atlantic connection though. As someone else mentioned, you should use statics on both ends. You can do dynamic, but it is a hassle and introduces several points of failure. |