VPN between sites

jamesd

I have 2 sites that want a vpn between them for voice and an application
They want to share data between the sites and also be able to transfer calls between the sites.
At the moment both sites are using the same ip address range of 10.10.10.1 to 10.10.10.254.
Both sites have their own win2K3 dc's, exchange servers and their local site software servers (running a site specific application), I would like site 1 to be able to access site 2's software server and site 2 to be able to access site 1's. The app on the software server runs via a web page.

First off I asume the ip's need to be changed in 1 of the sites?
I was looking at getting a 2mb BIP for between the sites - any other options?

Thanks
James

dubhthach

What sorta firewall system you using for your VPN? As for changing ip addresses, generally on similar systems I've seen it can be best to go with two different subnets ranges for each location.

You could always use the same range and have them divided into /25 subnets but I find it better to have them as separate subnets just from point of view that allows you room to grow -- /25 is only 126 addresses after all.

As long as the right access rules are setup then there shouldn't be any issues with accessing server on one subnet from another.

I know with a previous employee that we had our Active Directory domain segmented over a VPN with DC in one location and a backup dc in seconadry location.

jamesd

I want to keep the 2 AD's seperate.
I will need to keep 256 addresses on both of the sites due to the volume of equipment on the sites.
I have no hardware choice made on the vpn boxes as yet - looking for suggestions.

dubhthach

jamesd wrote: »

I want to keep the 2 AD's seperate.
I will need to keep 256 addresses on both of the sites due to the volume of equipment on the sites.
I have no hardware choice made on the vpn boxes as yet - looking for suggestions.

In which case ye only choice is to change the subnet in one location. The only stuff I've used for VPN is Cisco Pix/ASA. I know they've discontinued the Pix range. Still ASA's aren't that bad price wise. I know that in my current workplace we got our ASA5510 for about 1,300 euro (including 3 year support). There's a cheaper Asa5505 model as well. Currently we don't do site to site vpn with the 5510, just got standard client vpn access for the couple people who need to connect remotely etc.

FruitLover

If it's possible to change one of the network ranges, I'd do that. Otherwise you'll have to get into some fairly hairy NAT-ing. I wouldn't go getting ASAs for two small sites - it would be worth looking into cheaper hardware.

cmelbourne

hey, did u get this working at all?

FusionNet

Dont forget using 1 VPN for voice and data just be aware of high traffic times and QoS issues.. I always personally like to use a seperate DSL for voice so that way if the data people or IT guys are messing around with large files at least you wont get bad telco..

jamesd

Going with a 2mb BIP, Giving 5 calls QOS at 100k each and the rest for data.
Looks like I will be changing the ip's in one of the sites

_CreeD_

As suggested I'd go with NAT on both sides, the ASAs can handle that fine alongside the tunnels themselves. Also they do support basic QOS (one Q) so you can prioritize your voice traffic.

noclee

Watch your encryption level, has it may impede your real time traffic voip. Depending on the cpu of the firewall.

noclee

noclee wrote: »

Watch your encryption level, has it may impede your real time traffic voip. Depending on the cpu of the firewall.

Really? I thought it was not very cpu intensive after the initial handshake?

Most symmetric encryption is fairly easy on CPU; its the PKI stuff that is the real killer.