I need to steup a vpn and have never done it before. Can anyone recommend a place to get good clear instructions for this? I know there are many variables, but I am after a good basic explantion that I can work from. Keep in mind, I am a phone man , not a computer guy. (read: Keep it simple and don't skip steps)
Every VPN device is different to set up - you'll need to find information for your specific device(s) that will be creating the VPN. I'd recommend that you stick with one make and model for building the VPN if at all possible (getting multiple vendor's VPNs to talk to each other is a very complex project).
I'd probably recommend hiring a contractor to help you out with the first few (or if you will be working with a network that is more complex than just a DSL/Cable modem and a handful of computers), or at least have on-call if you run into issues. VPNs can be either really easy or really complex - they are almost always one extreme or the other, and my experience says they tend towards really complex more often.
To setup a site to site VPN you need two end point devices. These are the "VPN Peer Gateways". Their purpose is to terminate the IPSec VPN tunnel. There are many options for this. They range from community/opensource such as Vyatta Router to much more expensive devices like CheckPoint VPN-1, Juniper, or Cisco.
Each side needs to agree on a set of parameters when they do the tunnel negotiation. This is usually called phase one and phase one.
Phase One (sometimes called IKE / ISAKMP) contains:
pre-shared-key type of encryption (3des or AES-128) type of hash algorithm (md5 or sha1) lifetime (default of 86400 secs)
Phase Two ( sometimes called IPSec SA negotiation) contains
type of encryption (3des or AES-128) type of hash algorithm (md5 or sha1) lifetime (in seconds) a local subnet that should be encrypted/allowed a remote subnet that should be decrypted/allowed
When the negotiations are complete there is now an IKE cookie and an IPsec SA.
The packets come into the gateway from your internal network. If they match the local and remote subnets they are encrypted and sent across to the other side.
Thats the real basics of it. If you want some help send me a PM and I can try to assist you.
You are getting in hopelessley over your head. Follow the manufacturer's instructions? Okay yes but it will take you several years to get enough background to do that. Perhaps you should try performing surgery on yourself. The odds of succeeding are better.
You know how the telephone guys get all riled up when the computer guy starts to mess with phones and they are way in over their heads and more likely to cause trouble than good? Well it goes both ways! :nono:
you may be able to pull this off with our help but you need to be a lot more specific. i mean on tv ordinary citizens manage to land jet airliners all the time. if you believe that is realistic, then give setting up a VPN a try.
First of all tell what you want to connect by VPN: one whole site to another whole site, a whole site to specific remote computers, or specific computers to specific remote computers? Or are phones and phone systems involved?
Thanks Tony3866 that is good to hear. Thanks tito I will check out those resources. Unfortunately, if us phone guys don't become computer guys, we will be like the silent movie actors who refused to make the jump to talkies.
@hot.sandwichz - Excellent 10,000 foot view explanation. You clearly know what you're talking about.
@dtmf - Thank you. We all have holes in our knowledge.
@emmitt2727 - Indeed. I've kept a strong foothold on both voice and data islands as convergence of the two has been developing for decades.
/rant begin/
Though I'm all for it, I'm concerned that VoIP security has still not been fully addressed. I predict that the next "bomb" on our country won't be suffered by a weapons-grade plutionium/uranium explosive, but rather with a well-planned cyber attack on our communications devices. Given the number of machines attached to both the public internet and (for example) our electric grid, banking system, central offices and such, it's easy to see just how catastrophic such an attack could be. I'm not down on VoIP or ANY kind of data that's sent using packet-switched technology...I just think that the payload for such stuff is horribly insecure. Security and reliability is what so many of "those old Bell-heads" might just be talking about if one listens carefully. Be the best computer guy you can be, but don't forget about "five nines", the days when techs would work through the night to restore service and all the well-thought science (from voltage, twists/inch, wire oxidation, etc) that continues to provide things like very high-speed data over 150+ year old technology.
I hate VPN's. All too often I see them used as the poor-admin's attempt at security instead of addressing the issue properly to begin with. They do serve a purpose and I enjoy their site-to-site capabilities, but using them as an end-user is such a pain.
All that being said, SIP is a horribly insecure protocol. So much so that it does make sense to use something like an IPSEC on port 5060 where possible. If you can't do that, you should try to use IP ACL (access control list), and limit connectivity by IP. This of course becomes an issue when you want to have road-warriors. At that point IPSEC is the way to go.
Encrypting the audio is a bit much in my opinion. It just add's overhead to an already bloated and high bandwidth requirement. Plus a lot of VPN routers don't handle the audio load that well. Most of the smaller SOHO type of VPN routers are really designed for encrypting EMAIL and stuff to the server. The CPUs that they use are kind of underpowered most of the time.
If you are looking at a VPN device, try to find out what it's VPN Packets Per Second rate is. Every SIP conversation/channel/trunk/etc is going to send 100-pps (Packets Per Second). So, take your estimated number of simultaneous phone conversations (NOT to be confused with number of endpoints), and multiply by 100. That's how many packets per second (pps) you will need.
And another tip, if the router vendor won't tell you packets per second, just divide their VPN throughput number by 1544-bytes. Don't forget to convert the routers MegaBytes or KiloBytes into just bytes first! This will give you the ballpark PPS that they will do. Why 1544 you ask? Cause that's the standard max payload size for TCP/IP packets, and consequently, the payload size that almost every router vendor uses when putting together their marketing propaganda.
Originally posted by tito1411: You know how the telephone guys get all riled up when the computer guy starts to mess with phones and they are way in over their heads and more likely to cause trouble than good? Well it goes both ways! :nono:
Theres tons of resources on the internet.
Well said ..... if we (or the IT guys) are doing it for ourselves then it is no big deal ... if we (or the IT guys) are doing it for a customer and billing them then we (or the IT guys) shouldn't accept the work ... it is not in the customers, or the vendors, best interest. :thumb: