Two routers with different VPN access privileges

So I am having a problem. My office is in need of VPN capabilities, but our current network has a lot of sensitive data, so we are going to use two routers with two different VPN connections on two different networks (but the same internet connection). The higher level network will house all of our sensitive material, and our senior level employees will be able to access it. The other one will be used for general connection to our sale documents, printers, and mobile devices.

Configuring these two isn't the problem. My problem is that the higher level VPN network needs to have a one way connection to the first one, so all of our senior level employees can still access the sales documents and printers.

I know this is complicated, but can anyone give me any advice on how to go about setting this up using either Tomato or DD-wrt firmware?

Thanks all.

SysLamp

Posted 2013-02-03T19:51:53.193

Reputation: 25

Answers

I have some knowledge of the workings of complex VPN solutions, as I wrote the StrongSwan chef cookbook currently used with Ironfan to establish VPNs within Amazon clusters.

What you ask is not beyond the realm of possibility; but I, personally, would not use either of the choices you gave for controlling the VPN connections you described.

What I feel you should be doing is this; dedicate an office machine to be the 'master' for both VPNs. Passthrough all IPsec traffic to this machine from the router(s). You'll need to keep both VPNs separated to keep the level of security you need; and your senior level employees will be required to connect to both. Within each of their VPN connections' configuration on their local machine you will need to use the setting to 'only use routes for assets on that subnet'. (It may be worded slightly differently across different OSes)

Know This: security mechanisms are complex and myriad; here is a listing from which you may choose to get ideas about where to go from there.

Jerry W Jackson

Posted 2013-02-03T19:51:53.193

Reputation: 120

Thank you very much! I will look into this. You may have just helped us dodge a bullet! – SysLamp – 2013-02-04T05:05:46.220

@Syslamp I'm currently available for hire if you need this done properly. :) – Jerry W Jackson – 2013-02-04T05:12:03.210

You should also look at Logmein Hamachi's zero config VPN solution.

kobaltz

Posted 2013-02-03T19:51:53.193

Reputation: 14 361