cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
627
Views
0
Helpful
13
Replies

multisites VPN with just cisco vpn client

blacksadangel
Beginner
Beginner

Hello everbody

Please i need your help,

we have a headquarter office and up to 60 branchoffice, we want to create VPN network between its. so we will deploying 2 cisco router esy vpn server with HA (HSRP) in the headquarter office and all the branch offices have ADSL coonection and they will use just the cisco vpn client to connect to the headquarter office.

my question is : it's possible to do this just with cisco vpn client without bought for any bracnh-office a cisco router to create a  ipsec tunnel because is so expensive?

4 Accepted Solutions

Accepted Solutions

Michael Muenz
Contributor
Contributor

It depends if the routers at the offices can handle NAT with multiple internal VPN clients to 1 IP address. Most newer hardware should be fine. Also keep in mind the max. VPN client limit, with 60 branches and 5 people at each one you're over the limit.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

View solution in original post

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

What you are doing is a "nearly normal" Remote-Access scenario and will work easily for client-to-HQ-communication. If the users in the branch have to communicate also locally, you have to use split-tunneling.

But there are some things that won't work: If there are devices in the branches that have to be accessed from ther HQ, these won't be reachable. as there is no VPN for them.

And you have to size your HQ-routers for the amount of simultaneous connected users. A better solution would be to use 800-series routers for the branch-offices.

If you have not yet bought the routers for the HQ, I would go for two ASA 5515-X with AnyConnect Essentials. The Cisco EasyVPN Client is EOS/EOL announced and is replaced by AnyConnect. But the ASA is a much more powerful device for remote-access VPNs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Yes, with AIM it's 800 in theory:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf

I'm not sure if a 1841 can handle this with high load.

Also I'm not sure if your upload can handle that much RDP connection.

Think about what happens if one prints a 50mb PDF, all screens will freeze for a short time.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

View solution in original post

without the extra AIM, the 1841 should support about 100 VPN sessions. If you really only have 60 users, then it should be fine. And you could distribute the load over both 1841s.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

13 Replies 13

Michael Muenz
Contributor
Contributor

It depends if the routers at the offices can handle NAT with multiple internal VPN clients to 1 IP address. Most newer hardware should be fine. Also keep in mind the max. VPN client limit, with 60 branches and 5 people at each one you're over the limit.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

What you are doing is a "nearly normal" Remote-Access scenario and will work easily for client-to-HQ-communication. If the users in the branch have to communicate also locally, you have to use split-tunneling.

But there are some things that won't work: If there are devices in the branches that have to be accessed from ther HQ, these won't be reachable. as there is no VPN for them.

And you have to size your HQ-routers for the amount of simultaneous connected users. A better solution would be to use 800-series routers for the branch-offices.

If you have not yet bought the routers for the HQ, I would go for two ASA 5515-X with AnyConnect Essentials. The Cisco EasyVPN Client is EOS/EOL announced and is replaced by AnyConnect. But the ASA is a much more powerful device for remote-access VPNs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

blacksadangel
Beginner
Beginner

thank you friends,

the used routers in the headquarters are two cisco 1841 easy vpn server and in HA (HSRP), i read that can support 800 tunnel i don't know if that also for the cisco vpn client. the primary need for this vpn is to acces to a terminal server which run a application, for all the 60 branchoffices, we will just use simple ADSL routers and i will check for the "vpn passtrough" capability,i have practice the IPsec tunnel between 2 Cisco routers or 8 max, but the case to use just the cisco cpn client for up to 50 branch-office i never do it.

in your opinion, that will be perfetly run just with using cisco client??

Yes, with AIM it's 800 in theory:

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/vpn_performance_eng.pdf

I'm not sure if a 1841 can handle this with high load.

Also I'm not sure if your upload can handle that much RDP connection.

Think about what happens if one prints a 50mb PDF, all screens will freeze for a short time.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

the bandiwth will be 2Mb symetrique (2M=upload=download) beetween the headquarter and the ISP, for terminal server, i tested the use bandwith and i found it over 28ko per cconnection, which mean at least 28ko*60=1680ko somiltanous users,also will never have simeltanous connection,for the bandwith i think that full enough.

just question : the AIM is it a hardware or a model or it by default delivred with the cisco 1841, and the cas without it, the cisco can support how many coonection ?

thnak you freinds.

without the extra AIM, the 1841 should support about 100 VPN sessions. If you really only have 60 users, then it should be fine. And you could distribute the load over both 1841s.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

blacksadangel
Beginner
Beginner

Thank you very much friends,

Really i wish that just cisco vpn client will work fine because it's no chance to buy for each branch office a cisco router because it will be so expensive.i tested that in gns3 and it's doesn't work fine, i said that just because emulation, but in reallitu i wish really will be fine

I hope your latency is under 30ms, I have a distributed setup, each branch with lower than ADSL6000 and more that 40ms don't like working over RDP.

Keep in mind that when 1mbit of you 2 are already in use, you latency goes up and the RDP slows down.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

blacksadangel
Beginner
Beginner

thank u freinds,

but i have now a problem, when i used easy vpn server or site to site vpn (based in IPsec) in gns3 the rdp connection are lost as i said before, so to determine if the problem if is it just a emulation problem with gns3, i used pptp and i configre the router as pptp server, after that the RDP work fine !!!!

the problem that i must use cisco vpn client to benifit from the backup vpn server but it doesn't work with pptp :s, with pptp i will obliged just to use windows client.

have u any idea please to configure IPSec to wrok fine with rdp like PPTP please ?

So you can login with Easy VPN but not connect via RDP? Then you should check split tunnel, since default in PPTP is to send all traffic via VPN.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

blacksadangel
Beginner
Beginner

yes , i can connect with the cisco vpn client and i ping the server fine, but the moment when i remote the terminal server RDP the connection lost, but with pptp all work fine my friend,

the problem is i must use cisco vpn client which doesn't support pptp :s or found a solution to get ipsec work fine with RDP like pptp

can you telnet to the IP with port 3389 and check if a connection gets established.

In the real world it doesn't matter if its PPTP oder VPN client

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

blacksadangel
Beginner
Beginner

yes ciscomax but in my case i must use easy vpn server with the cisco vpn client, i tested the telnet it established, but always i have the same problem, i tested file send, it can't be send,i don't know why it canno't be work :s

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers