Wednesday, 6 June 2007

ADSL VPN Site to Site

The cost of diginet lines can be rather expensive, so we decided to run some tests for connecting remote sites to the network via ADSL VPN's. This is a rather interesting exercise that proved to be more difficult than initially anticipated. The internet seems to be abound with tutorials on setting up a VPN where a client accesses the a remote network with a VPN, but the number of tutorials on LAN to LAN VPN's seems rather limited.

To start off with we have the following in place:
  • Hardware
    • 2 x D-Link ADSL Firewall Routers
    • 2 x D-Link DI-804HV VPN Firewall Routers
  • Other
    • 2 x DynDns accounts
    • 4 x subnets
How to set it all up:
1.) If you don't have static IP addresses from your ISP you will need to setup 2 new DynDns accounts. This can be done by going to Dynamic DNS allows you to access your ADSL routers through a DNS name which is resolved to your current IP Address. A small client application sits on your router and sends updates to the DynDNS server to notify it of an IP Address change.

2.) Decide on your subnet information and make sure that there are 4 subnets when connecting 2 remote sites. The subnets are as follows. 1.) LANA subnet, LANB Subnet, Subnet between the ADSL router and the VPN router on site A, subnet between the ADSL router and the VPN router on site B.

3.) Install the ADSL Router and VPN Routers. The setup is pretty basic you should be able to handle it using the documentation that comes with the devices and one thing to note is that you should disable DHCP or at the very least reserve the addresses of the WAN interface of the VPN router so that its address remains constant.

4.) Allow VPN pass-through on the the ADSL router via the settings in the virtual server. This is done so that the ADSL router takes any VPN traffic and automatically passes it directly to the VPN router. (This is very important.)

5.) Setting up the VPN. This can be done with the documentation from the manual of the device in question. Please note that the pre-shared key needs to be EXACTLY the same on either side.

Some other things to note:
  • The DynDNS can take some time to update and forcing updates can result in your account being blocked. Be careful and don't reboot the ADSL router too often!
  • The don't enable DHCP between the ADSL and VPN routers, rather assign the adresses statically as this can cause problems if a lease expires.
  • ADSL is asynchronous which means that the upload speeds are different to the download speeds. So don't be fooled, the actual speed of your link will be lower than the maximum theoretical upload speed of a ADSL single link.
  • The VPN routers used only allowed access to the two subnets connected and no other subnets. I can only assume that this is a security related mechanism, but it did make traversing the VPN from the rest of our network impossible. The VPN router when accessed directly does not have enough routing information to route the traffic across the VPN from another subnet.
Some other things we added to the setup:
  • A static route to the remote subnet on our main Cisco router (which is our default gateway) to the VPN router.
  • Filters to block internet access via these routers.
  • Extra strong passwords and pre-shared keys to maximise security.