VPN between to routers or 2 firewalls?

mapleleaf · 02-03-2010, 07:24 PM

Hi All

following on from my previous thread about installing a VOIP phone system at work, I decided at the last minute to play safe and cancel the VOIP order and stick with ISDN 30 - but still using a Panasonic NCP 1000 PBX so Ican set up a single IP extension using a DSP SIP card to my office in Canada. the idea being to make & receive calls in Canada using the UK office phone system.

I have received conflicting advise regarding how to set up the necessary VPN between the sites which is purely to use the remote IP phone.

My phone guy says a VPN between 2 draytek vigor 2820 routers works fine and is a recommended solution by Panasonic to create a virtual extension. He has installed this solution for several clients in the UK

The PBX wil not be connected to the company IT network behind the firewall. Just the DSP card will be connected directly to the router . At the remote end - its proposed that the IP phone panasonic KXNT 343 is connected into the router in Canada.

My IT guy says no way is that acceptable and I need to run the VPN between 2 cisco pix/ ASA firewalls . We have CISCO pix in the UK and just a cisco/linksys router in Canada ie no separate dedicated firewall hardware. The IT guy basically wants me to buy a CISCO ASA and pay him for the rather complex configuration. I also need to buy som efixed IP addresses - but I dont think my Canadian ISP Bell Canada, provides those.

Does anyone have any experience or opinions in this regard? whats the best way forward?

TIA

uhayat · 02-03-2010, 08:39 PM

Sorry but I have not been able to find your previous thread.
Why dont you simply set up an open source SIP PBX and use SIP extensions without getting into any VPN/routers/config. Or you can simply use a hosted PBX solution.
Or you can use two off them and connect them with eachother.
If you can email me (usman.tamman@gmail.com) your current/required setup - I might be able to help.
Usman

timskemp · 02-03-2010, 09:21 PM

PM Incoming...

mapleleaf · 02-03-2010, 09:37 PM

Thanks Usman,

Before I forget,... Can i suggest that you remove your private email address from this very public forum -

The only way the IP extension will work, according to Panasonic techs is through a VPN. My question is really how best to set up said VPN - is it ok between 2 routers from a security / breach point of view - bearing in mind the Draytk routers suggested have fairly good firewalls in them .. or do I have to go CISCO firewall to CISCO firewall . Making the connection more complex and more expensive than I would want .

Hosting etc isnt going to work in this particular case either - just a secure VPN tunnel.

markmifsud · 04-03-2010, 11:26 AM

I use Vigor(draytek) routers for budget ipsec tunnels, never had a problem with them, Cisco will always be recommended by some as they are market leaders, and I think some Company's only have skills in the top end vpn appliances so will not attempt to create a vpn over anything they see as less capable

Dryce · 04-03-2010, 03:19 PM

Quote:

Originally Posted by markmifsud

I use Vigor(draytek) routers for budget ipsec tunnels, never had a problem with them, Cisco will always be recommended by some as they are market leaders,

The Cisco stuff clearly offers capability at the enterprise level.

But the Drayteks are fine at what they do. We've used them for VPNs (various 2600, 2800, 2900, and 2820) for years and they just work.

The only hassle discovered so far is the ADSL 2+ on the earlier 2800 models doesn't seem to like Be (and by inference O2) ADSL lines.

The OP mentioned fixed IPs. If setting up a VPN with one of these boxes you can get away with a fixed IP at one end by making the router at the dynamic IP end responsible for raising the VPN and keeping it permanently active.

However that still leaves the downside of a lack of a fixed IP to access the remote router for admin/config purposes. So it's still better overall with a fixed IP at both ends.

WLeg · 04-03-2010, 03:54 PM

Any Cisco or VPN experts here care to make themselves known ? I have a little problem .....

agatward · 04-03-2010, 08:10 PM

Quote:

Originally Posted by WLeg

Any Cisco or VPN experts here care to make themselves known ? I have a little problem .....

PM incoming.

mapleleaf · 06-03-2010, 06:06 AM

thanks everyone

we have decided to keep it simple and stick with router to router and see how it works out. trial & error really. I'll let you know how it goes. install is booked for end of march

02-03-2010, 07:24 PM	#1
mapleleaf Hardcore MB Enthusiast Join Date: Dec 2002 Location: Manchester & Toronto Car: Ford Escape SUV but that doesnt really count, hopefully back into an SL - 500 this time Posts: 1,754	VPN between to routers or 2 firewalls? Hi All following on from my previous thread about installing a VOIP phone system at work, I decided at the last minute to play safe and cancel the VOIP order and stick with ISDN 30 - but still using a Panasonic NCP 1000 PBX so Ican set up a single IP extension using a DSP SIP card to my office in Canada. the idea being to make & receive calls in Canada using the UK office phone system. I have received conflicting advise regarding how to set up the necessary VPN between the sites which is purely to use the remote IP phone. My phone guy says a VPN between 2 draytek vigor 2820 routers works fine and is a recommended solution by Panasonic to create a virtual extension. He has installed this solution for several clients in the UK The PBX wil not be connected to the company IT network behind the firewall. Just the DSP card will be connected directly to the router . At the remote end - its proposed that the IP phone panasonic KXNT 343 is connected into the router in Canada. My IT guy says no way is that acceptable and I need to run the VPN between 2 cisco pix/ ASA firewalls . We have CISCO pix in the UK and just a cisco/linksys router in Canada ie no separate dedicated firewall hardware. The IT guy basically wants me to buy a CISCO ASA and pay him for the rather complex configuration. I also need to buy som efixed IP addresses - but I dont think my Canadian ISP Bell Canada, provides those. Does anyone have any experience or opinions in this regard? whats the best way forward? TIA

02-03-2010, 08:39 PM	#2
uhayat Member Join Date: Dec 2006 Location: Pakistan Car: w211 E200 Kompressor Posts: 74	Sorry but I have not been able to find your previous thread. Why dont you simply set up an open source SIP PBX and use SIP extensions without getting into any VPN/routers/config. Or you can simply use a hosted PBX solution. Or you can use two off them and connect them with eachother. If you can email me (usman.tamman@gmail.com) your current/required setup - I might be able to help. Usman __________________ 2004 - E200 Kompressor 1995 - W202 C250D with Wald Kit 1987 - 200 - W124 1972 - 230 - W114 Limo www.usmantamman.com

02-03-2010, 09:21 PM	#3
timskemp Hardcore MB Enthusiast Join Date: Dec 2006 Location: Hull Car: W211 E270CDI Posts: 1,906	PM Incoming... __________________ W211 E270CDI Classic 2003 auto (silver of course) old gallery new album Volvo V50 1.6S 2008 manual (black!) Add yourself to the MBclub frappr map

04-03-2010, 03:54 PM	#7
WLeg Hardcore MB Enthusiast Join Date: Aug 2003 Location: Port Harcourt, Nigeria, Houston Texas, Hertfordshire, UK Car: W202, XC90 Posts: 1,384	Any Cisco or VPN experts here care to make themselves known ? I have a little problem ..... __________________ Light travels faster than sound... which is why some people appear bright until you hear them speak

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
VPN Connection - problem?	Beetnik	PC and I.T support/Advice posts	9	27-01-2010 06:40 PM
VPN Client	imadoofus	PC and I.T support/Advice posts	10	22-10-2007 01:09 PM
Offline Folders	imadoofus	PC and I.T support/Advice posts	12	24-01-2007 08:57 AM
Any MCSE 2003 people around today with VPN experience?	scotth_uk	PC and I.T support/Advice posts	4	04-04-2005 07:34 AM
NTL & Routers	Flyer	PC and I.T support/Advice posts	12	24-12-2004 04:06 PM

02-03-2010, 09:37 PM	#4
mapleleaf Hardcore MB Enthusiast Threadstarter Join Date: Dec 2002 Location: Manchester & Toronto Car: Ford Escape SUV but that doesnt really count, hopefully back into an SL - 500 this time Posts: 1,754	Thanks Usman, Before I forget,... Can i suggest that you remove your private email address from this very public forum - The only way the IP extension will work, according to Panasonic techs is through a VPN. My question is really how best to set up said VPN - is it ok between 2 routers from a security / breach point of view - bearing in mind the Draytk routers suggested have fairly good firewalls in them .. or do I have to go CISCO firewall to CISCO firewall . Making the connection more complex and more expensive than I would want . Hosting etc isnt going to work in this particular case either - just a secure VPN tunnel.

04-03-2010, 11:26 AM	#5
markmifsud Hardcore MB Enthusiast Join Date: Nov 2008 Location: Bromley, London Car: CLK320 CAB (W208) 02 Posts: 449	I use Vigor(draytek) routers for budget ipsec tunnels, never had a problem with them, Cisco will always be recommended by some as they are market leaders, and I think some Company's only have skills in the top end vpn appliances so will not attempt to create a vpn over anything they see as less capable

06-03-2010, 06:06 AM	#9
mapleleaf Hardcore MB Enthusiast Threadstarter Join Date: Dec 2002 Location: Manchester & Toronto Car: Ford Escape SUV but that doesnt really count, hopefully back into an SL - 500 this time Posts: 1,754	thanks everyone we have decided to keep it simple and stick with router to router and see how it works out. trial & error really. I'll let you know how it goes. install is booked for end of march

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)