Topic: POLL - Site-to-Site VPN using SME

[jfarschman]

Hi,

  I know folks have setup up VPNs using the SME server.  I'm curious how this worked out.  Does it have any issues I should know about?  Or would you may recommend a different method.

OUR OFFICES
We have 4 hardware stores and need 3 of them to connect to the first.

2\
3---1
4/

The #1 store has all the back office stuff.

ALTERNATIVES
We don't really need SME servers at stores #2, #3 and #4... just a box that can gracefully handle VPN.  Should I consider using smoothwall or M0n0wall for the remotes?

Thanks.

[jdavey]

I've never used the SME Server VPN. I've always been leary of placing the VPN tunnels on the primary site servers, and instead just used a smoothwall box with IPSec tunnels back to the primary office. In fact, I have one regional site with 20 tunnels to the main office, and the only issues I've had are with the DSL or T1 circuits, or with a hardware problem on the smoothwall boxes or the CPE units.

That said, I haven't yet configured a company that has tunnels to the main office, as well as tunnels between each location. Just like in your example, I've always had the VPN between location 1 & 2, 1 & 3, and 1 & 4. But I was thinking about a 1 to 2, 1 to 3, and a 2 to 3.

My only other experience has been with the hit and miss nature of the SME PPTP and low quality DSL circuits. Just not dependable enough.

[jfarschman]

jdavey,

  Thanks.  That helps.

  As it turns out my tunnels are going to work just like your.  The remote locations have no real reason to communicate site-to-site.

  Sounds like I need to start playing with the smoothwall.

[jdavey]

To keep it simple with the smoothwall boxes, make sure that you have an UN-NATed public IP address - the CPE (DSL Router or Modem, T1 CPE - which ever) must be open - or maybe you can bridge it.

Someone on the smoothwall community forums has a homebrew addition where it will let you route a Tunnel between host names - so if you do have a dynamic IP at one or both ends you could use a no-ip.com address or some other dynamic host name service. I've haven't tried this but I find it interesting. I believe that there are also some OpenVPN homebrews for smoothwall, as well as m0n0 wall to look at.

For clarity sake's you could always check Dick Morrell's blog (smoothwall creator and cleverest.guy.ever.) http://blog.dickmorrell.org - he rcommends some Open source firewall solutions other than smoothwall - and he ought to know!.

Good luck!

[jfarschman]

Thanks....

  Yes, I've met Dick.  He's a nice guy.

[MSmith]

Appliances such as the Linksys BEFVP41 and Snapgear SME550 are truly easy to use, don't require dedicating a PC and are pretty much "set it and forget it."  The SME550, in particular, offers IPSec site-to-site and PPTP "dialin" VPN in one small package.  Of course, it's fun to play with old PCs if you have the time!