2

Our office and an outside location have a dedicated T1 point to point connected with Cisco2600's. We need to eliminate the need of the T1 circuit as it is costly and would like to route the traffic over our main ISP with Comcast.

I'm pretty sure I can't use the Cisco2600's w/o a T1 in place. Can I setup a server at each location (Windows 2008) that can server a static VPN tunnel between the 2 locations? I would prefer not to have our users at the main office to have to VPN into the second location, I would like it available to all machines - what they have been used to.

I'm pretty sure this can probably be accomplished with OS X Server with a mini at each end as well, am I correct?

xedgex
  • 71
  • 1
  • 1
  • 5
  • I only indicate using Servers as the replacement as I do not work with Cisco gear, I'm sure same could be accomplished and I am welcome to these options as well. – xedgex Nov 30 '11 at 16:33

2 Answers2

1

I'd look at using some dedicated hardware devices to terminate a VPN tunnel between the sites. I find that using a hardware VPN termination device is, once it's configured, typically a "fire and forget" operation (as opposed to terminating a VPN on a server computer). The Cisco ASA firewall devices do a good job with this, but there are a variety of devices out there that can provide the same functionality (at a myriad of different price points / support options / features).

The net effect of a site-to-site VPN, if routing is properly configured, is that the computers in each network will be able to communicate with the other network just as your current point-to-point network functions. It ought to be a seamless transition if everything is put together with the appropriate forethought.

There is a port of OpenVPN to OS X and it would be possible to host a site-to-site VPN using those machines but you're looking at a more complex routing configuration than just replacing the edge firewall with a device that also terminates a VPN tunnel.

Depending on the IOS version and feature set installed on your 2600-series routers you might be able to terminate an IPSEC tunnel between both sites on these devices, as well. Again, you're looking at a more complex routing configuration to go this route, too.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

I don't know what Comcast is providing you as modem/router, but the easiest solution would be to use a "vpn router". SF has some related answers (search for vpn, site to site vpn) which will provide you at least manufacturers name, and sometimes model numbers.

Site-to-site communications will be transparent to your users.

Cisco 2600s are old (even the latest -xm ones), and will have difficulties to handle a vpn at the speed of your Comcast connection. Moreover, they can be difficult to set up if you're not trained to.

The "server" solution is also possible, but will require more work to configure the tunnels from server to server and then routing from clients to servers (thus not internet gateways). On MacOSX and Windows servers, you should be able to use OpenVPN, while the Windows have also the possibilities to use RRAS (Routing and Remote Access Services).

petrus
  • 5,287
  • 25
  • 42