Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
20
Helpful
7
Replies

Best VPN design solution for central/branch offices

Go to solution
spejic
Level 1
Level 1

‎06-05-2006 04:13 AM - edited ‎02-21-2020 02:27 PM

Hello all,

I would like your input on designing a VPN solution given the following:

Right now, the customer has a single office. I will be setting up a Cisco 1811w for them, and its main functions will be wireless access, firewall with CBAC, and EZVPN server.

The EZVPN server function will be implemented so that employees with laptops can work from home.

In the near future, there will be around 4 branch offices in operation.

Static IP is available for the main office, but I am unsure if static IPs will be available for the branch offices once they are established (there's 50-50 chance).

There will be one Active Directory server at the central location and it will have to be accessed from the branch offices.

My question is - given the uncertainty of the branch offices having static IPs - what is the best way to implement VPN to connect them to the branch office?

Each branch office will have a Cisco 831 installed.

Is EZVPN a viable solution given the above requirements?

Is it possible to set up the 831s as EZVPN clients without XAUTH, while still maintaining XAUTH for the employees using EZVPN clients?

If this is not going to work, then XAUTH might have to go.

Or, given the situation, would you opt for DMVPN... Unfortunately I don't know too much about that technology for now.. What are the advantages / disadvantages of using it, if it is an appropriate solution for this scenario?

Thank you all in advance for your input!

Sean

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rkazmierczak
Level 1
Level 1
In response to Fernando_Meza

‎06-06-2006 03:20 AM

I think you need to use a network extension mode (configured in the vpngroup) instead of client mode. Just make sure that each branch office uses a different and not overlapping address space.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
m.sir
Level 7
Level 7

‎06-05-2006 06:18 AM

Not sure about XAUTH vs. without XAUTH EZVPN. But I have used TED for similiar scenarion

check this link

http://www.cisco.com/en/US/products/sw/iosswrel/ps1830/products_feature_guide09186a0080087a9a.html

Go to solution
Fernando_Meza
Level 7
Level 7

‎06-05-2006 11:09 AM

Hi .. I am sure VPN server /client is the way to go. Xauth / No Xauth can be accomplished by creating two VPN groups (profiles) one without Xauth (for the spokes routers ... even thought you can also use Xauth as well ) and one with Xauth for the remote users.

DMVPN is useful when you require direct communication between the spokes without having to traverse the Hub site. It uses protocol named NHRP ( next hope routing protocol ) to DYNAMICALLY create the tunnels between spokes automatically and on demand traffic.

I hope it helps .. please rate it if it does !!!

Go to solution
spejic
Level 1
Level 1
In response to Fernando_Meza

‎06-05-2006 01:35 PM

Hi, thank you all for your replies.

I just finished my preliminary testing in my testlab - EZVPN server/client solution works great.

The only thing that I would still like to accomplish is being able to ping machines in the "remote office"

(I can connect to the server, which is behind the Cisco 1811w acting as an EZVPN server, but not from the server to the client machine, which is behind a Cisco 831, acting as an EZVPN client). The client machine is not firewalled or anything (neither is the 831). Please let me know how I could accomplish this. Thanks in advance!!

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7
In response to spejic

‎06-05-2006 10:12 PM

Hi .. if you do tracert from the server to the clients behind the 831 how far does it go ..? You might need to specifically allow this on your 1811 router

Go to solution
rkazmierczak
Level 1
Level 1
In response to Fernando_Meza

‎06-06-2006 03:20 AM

I think you need to use a network extension mode (configured in the vpngroup) instead of client mode. Just make sure that each branch office uses a different and not overlapping address space.

0 Helpful

Go to solution
spejic
Level 1
Level 1

‎06-06-2006 12:41 PM

Thanks everyone for helping me out!!

0 Helpful

Go to solution
arisaperstein
Level 1
Level 1
In response to spejic

‎06-12-2006 10:15 AM

I just put in a DMVPN for a customer with 10 remote sites and two hub sites in different locations. The remote sites are 871's and the hubs are 1841's. We used a LAN-to-LAN VPN to tie the two hubs together. One of the spoke 871's is also running as an EZVPN server. With the exception of having IOS code issues, the DMVPN is very stable. The nice thing is that as they add sites, all we have to do is add the config for DMVPN to the new spoke and it will participate in the DMVPN. NATting was challenging but all in all, it is a great solution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents