VPN IP address issue with multiple ADSL lines
Discussion
Greetings PH IT experts!
Can anyone help me with an issue I am trying to resolve. We have a bonded ASDL connection at each of our UK offices. It is very un-reliable and it is being scrapped. (Name & shame rules prevent me from giving my opinion of the offending ISP)
In its place, I plan to install at each office a 2 mb SDSL for the WAN (via VPN)between the 2 offices, with 3 2mb ADSL lines, all from different ISPs which can do web browsing and act as a fall back for the WAN if it fails. The thinking behind multiple ISPs being that our problems are usually ISP related not BT line related, therefore if one ISP goes down, other lines should still be up. To link all these connections, we will either use an appliance called a Firebrick www.firebrick.co.uk or a piece of software called rainconnect http://www.rainfinity.com/products/rainconnect_isa.html running on our existing ISA servers.
The only thing I cannot see a way round, but then I am not an expert, is VPN connections. They point at an IP address, so if each connection is with a different ISP, It will have a different static IP address. Therefore in a situation where a link fails and rainconnect/firebrick switches connections, the IP address that a VPN connection may be pointing to will become invalid, so a remote user (of which we have an increasing number) will get disconnected, or worse, the VPN between sites will fall over. Is there a way round this. Do some 3rd party VPN clients have the capability to handle this problem?
Any help would be appreciated. I have an IT support company helping me, but I would like an un-biased opinion!
Jon H
Can anyone help me with an issue I am trying to resolve. We have a bonded ASDL connection at each of our UK offices. It is very un-reliable and it is being scrapped. (Name & shame rules prevent me from giving my opinion of the offending ISP)
In its place, I plan to install at each office a 2 mb SDSL for the WAN (via VPN)between the 2 offices, with 3 2mb ADSL lines, all from different ISPs which can do web browsing and act as a fall back for the WAN if it fails. The thinking behind multiple ISPs being that our problems are usually ISP related not BT line related, therefore if one ISP goes down, other lines should still be up. To link all these connections, we will either use an appliance called a Firebrick www.firebrick.co.uk or a piece of software called rainconnect http://www.rainfinity.com/products/rainconnect_isa.html running on our existing ISA servers.
The only thing I cannot see a way round, but then I am not an expert, is VPN connections. They point at an IP address, so if each connection is with a different ISP, It will have a different static IP address. Therefore in a situation where a link fails and rainconnect/firebrick switches connections, the IP address that a VPN connection may be pointing to will become invalid, so a remote user (of which we have an increasing number) will get disconnected, or worse, the VPN between sites will fall over. Is there a way round this. Do some 3rd party VPN clients have the capability to handle this problem?
Any help would be appreciated. I have an IT support company helping me, but I would like an un-biased opinion!
Jon H
Don't know if I've really understood what you're saying, but how about keeping three VPN connections up permenantly so you've effectively got three routes to the same place available all the time. Then just fail-over between them? (The firebrick looks like it might do that?)
Just out of interest / laziness, how does the cost of 2MB SDSL compare to a 2MB leased line?
Just out of interest / laziness, how does the cost of 2MB SDSL compare to a 2MB leased line?
Er, not sure how to do this but there is another way. A similar solution to what you have looked at, but this one actually works and does what you need (I think). Send me a personal mail as it happens to be the company I work for.....
Edited to add : oh and it does the multi-ISP thing as well as VPN meshing (multiple IP addresses for the VPN) and has full HA / Clustering features. So it does deal with the problems you have.... anyway, drop me a PM and I will see what we can do to sort this out for you, if you would like.
>> Edited by off_again on Wednesday 5th October 23:23
Edited to add : oh and it does the multi-ISP thing as well as VPN meshing (multiple IP addresses for the VPN) and has full HA / Clustering features. So it does deal with the problems you have.... anyway, drop me a PM and I will see what we can do to sort this out for you, if you would like.
>> Edited by off_again on Wednesday 5th October 23:23
aldi said:
Just out of interest / laziness, how does the cost of 2MB SDSL compare to a 2MB leased line?
Bear in mind even if it's 10 times cheaper, if bandwidth is important to you, there will be contention on an SDSL line that you wont get on a leased line.
That said, if it meant saving £14k a year a bit of contention now and then would likely not be a problem for most people!
2mb SDSL (10:1 contention) is coming in at £225 per site per month, with no set up charge, i.e £5400 per annum. 1mb Leased line is over £12000 plus £1500 setup.
Not too worried about a bit of contention as we are going OTT on bandwidth to cover it, and we are mostly doing thin client stuff over the WAN (Citrix) Just need more reliability than we get currently from a single ISP
Some helpful suggestions here, thanks guys!
Jon H
Not too worried about a bit of contention as we are going OTT on bandwidth to cover it, and we are mostly doing thin client stuff over the WAN (Citrix) Just need more reliability than we get currently from a single ISP
Some helpful suggestions here, thanks guys!
Jon H
If your ISP connection dies, then so will the client connection - no way round this.....
why don't you have your vpn concentrator inside the adsl routers and configure PAT to pass traffic thru to the vpn concentrator. Then you can configure your vpn client to connect to all 3 ip addresses in turn. If you give users a different connection order you can load balance and also lessen the immediate impact if one of the ISP's goes down.
The only issue you may have to overcome is that when an isp went down your client may still try to connect using it, so you would black hole traffic - you'd need to make sure that when the connection went down, the client knew this and tried the next ip address .... I guess you'd need to make sure you had a client that had dynamic connectivity...
why don't you have your vpn concentrator inside the adsl routers and configure PAT to pass traffic thru to the vpn concentrator. Then you can configure your vpn client to connect to all 3 ip addresses in turn. If you give users a different connection order you can load balance and also lessen the immediate impact if one of the ISP's goes down.
The only issue you may have to overcome is that when an isp went down your client may still try to connect using it, so you would black hole traffic - you'd need to make sure that when the connection went down, the client knew this and tried the next ip address .... I guess you'd need to make sure you had a client that had dynamic connectivity...
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff