Networking Question - VPN/Gateway??

[tbettend]

This is to all the network admins out there. I have several different LANS around the city, and would like to connect them in some fashion. What is the way to do this? Aside from VPN, is it possible to create a connection that would create a virtual network? How do most companies and businesses set up and connect their various LAN's like this, what is the protocol? Thank you all!

[silencio]

How about a hub and spoke frame-relay connection? That's one of the most redundant ways. A cheaper and less fault tolerant way to do it is to have 2 frame relay connections at each location. If they're all up you can connect to any of the other sites and you have complete privacy. An even cheaper way to do it is to use your existing internet connection (assuming you have an internet connection at each site) and create a router to router VPN. Personally, I think this is a great way to connect small offices that have dsl, frame-relay, or T1s to the internet already and don't want the added expense of a dedicated leased circuit to each site.

oh, my smart *** reply was going to be "with twist ties."

[Wyckyd1]

Ok,
Since this was brought I have a question on this topic.

Iateyourcat Router to Router VPN would be most cost effective right? or perhaps in most situations? How about with a company that didn't look to much towards this in the past and now want a router to router VPN with the following situation.

4 offices, each office though has a different router, different manufacturers all together. So we'll say 2 have Cisco routers however 2 different models, 2 have generic even older dial up routers (which have firewall as well). So what would I need to be equipped with to have a VPN solution for this co. Do I need to know how to open ports on each router? If so which ones? Or is this almost an impossible task all together being that all the routers are different (although I am thinking the 2 Ciscos would be more easily "doable"). So would the best solution be to buy 4 of the same routers which would probably be out of the question since logic is: "These are working fine and we paid good money for them, is there any other way?"

Thanks for any pointers.

[silencio]

If all of your routers support PPTP then it should be possible. It might take a lot of work though to get different routers working together. Also, you can't use IPSEC if your using NAT so L2TP is out and that sucks because PPTP isn't that secure. And yes, I think VPNs over cheap lines are great for small companies. But, I have seen companies go too far. Hell, when I first started at Computer Tech in Atlanta our internet access was over a 128K frame relay to a T1 in Houston that went to the internet. We had 10 users.

If your running 2000 Server at all four locations it's a snap.. sort of. You can configure packet filters and only up the VPN ports on your firewall (1723 for PPTP). Below is a clip from the config guide. The full guide is <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/confeat/vpnscen.asp" target="_blank">here.</a> There's also a white paper somewhere on technet.

L2TP-based Persistent Branch Office
The Phoenix branch office is an L2TP-based branch office that uses a Windows 2000 router to create a persistent, router-to-router VPN connection with the VPN server in New York. The connection is never terminated, even when idle.

To deploy an L2TP, two-way initiated, persistent, router-to-router VPN connection to the corporate office based on the settings configured in the "Common Configuration for the VPN Server" and "Persistent Branch Office" sections of this paper, the following settings are configured on the VPN server and Phoenix router.

[silencio]

Update: apparently there are devices now which will allow you to pass IPSEC traffic throughthem, with NAT, which would allow a 2000 based IPSEC VPN. This would work in your scenario with different hardware... but, if you have different hardware I'm doubting that the old hardware would pass NATed IPSEC traffic. You can check on your hardware by looking in the documentation to see if it's "NAT aware."

[Wyckyd1]

Thanks for the info. I was told that it might be a pain in the *** with different equipment, esp. older. The infamous "in theory" it should work. I've heard that before, matter of fact sure I've said it myself.