Questions:I am a cainiao network. Our company has set up a local area network, and now we have set up an office around 12 kilometers away from the company. Now we need to add a new computer to access the company's local area network to share the database. Which connection do you mean is convenient? Wireless, wired? It is better to connect to the INTERNET, which saves some cost.
This is obviously a remote connection problem. In fact, there are also three solutions for netizens: Wireless, wired, and Internet. Let's analyze them one by one.
Solution 1: Wireless
Wireless bridging is also one of the most popular technologies. In combination with high-power wireless bridges and high-gain oriented antennas, the transmission span can reach 50 kilometers. However, there is an important prerequisite for this, that is, the targeted antenna should be able to "View" without any barrier in the middle. Today, the city's high-rise buildings are everywhere. Even if it is visible now, it cannot be guaranteed on which day, a sudden building will be blocked on the line of sight. This Wireless Bridge solution will not be guaranteed.
Solution 2: wired
The cable solution can only deploy single-mode optical fiber cables at a distance of 12 kilometers, which is more time-consuming and costly. You can say you don't have to think about it.
Solution 3: Internet + VPN
The Internet can be said to be a public wide area network, and many telecom operators have established a four-way and eight-way long-distance network, which makes it possible for our company to use the network of telecom companies to achieve the Internet of the company's total branch companies. In particular, due to the prevalence of broadband access to the Internet, the cost is relatively low, which greatly facilitates the networking requirements of our corporate branches. As long as we select the appropriate technology, we can achieve a long distance network between the company's LAN.
This suitable technology is VPN Virtual Private Network ). VPN uses special "tunneling technology" to connect two computers in different regions to the Internet, just like a local area network. In this way, you can avoid using the expensive network connection method of the Wide Area Network leased line of the telecommunications company, as long as the broadband access method can be connected to the Internet. Therefore, it is technically feasible and cost-effective to connect to the Internet through broadband access.
From the above analysis, we can draw a conclusion that using Internet + VPN to achieve long-distance Interconnection between enterprises is the best solution for enterprise networking. However, we must adopt appropriate technologies to achieve the specific implementation. These technologies will include dynamic IP, VPN, and ADSL.
Implement VPN on Dynamic IP Address
The traditional internet-based VPN solution requires a fixed IP address on both the VPN Server and the client, or at least a fixed IP address on the server side. The client uses a dynamic IP address. The cost of using a fixed IP address will rise sharply. This increases the burden on small enterprises and limits VPN applications. This is the possibility of using dynamic IP addresses to implement VPN networking. A new solution will be used if necessary, that is, the "Dynamic IP-based broadband access VPN solution", which makes financial resources limited, the scale of VPN networking is not very large for small enterprises. The VPN Server does not have a fixed IP address. The IP addresses obtained from the dial-up are different each time. To enable the VPN Client to find the VPN Server, the IP address of the VPN Server must be resolved, that is, how to associate Dynamic IP addresses with fixed servers and clients and "solidify" their relationships is the key technology for implementing dynamic IP address-based VPN.
For the dynamic ip vpn application environment, VPN device manufacturers provide two representative technical solutions: DDNS dynamic VPN and directory service dynamic VPN.
1. DDNS dynamic VPN
Friends who have played with peanut shells know the dynamic domain name resolution technology DDNS), we can apply for a second-level domain name, user name and password from the service provider that provides the DDNS service, and set the static domain name, user name, and password when using a dynamic IP to access the Internet, such as broadband router, VPN firewall, and computer, users on the internet can access this device through this domain name, regardless of what dynamic IP address it obtained at that time.
VPN devices include servers and clients. To establish VPN communication through the DDNS service, you must also install the DDNS client software on the VPN Server and VPN Client, enter the domain name, user name, and password you have applied. When their dynamic IP addresses change, the DDNS client automatically updates their current IP addresses through verification on the DDNS server. Therefore, when the VPN Client initiates a call to the VPN Server and requires a VPN virtual private network connection, DDNS resolves the Domain Name of the VPN Server to the current valid IP address of the VPN Server, in this way, you can establish a VPN tunnel connection.
Currently, most VPN devices that claim to be able to use dynamic IP addresses to establish a VPN are "fixed" based on the DDNS technology. This is also the most common dynamic VPN solution, it is also the cheapest VPN solution. These VPN devices are gateway devices and implement the NAT Function of broadband shared access. Most of them are client software of a third-party DDNS service provider integrated into the sub-device. For example, NETGEAR) The FVL328 VPN firewall, a VPN product of the company, integrates the DDNS client of the domain company.
DDNS-based VPN is simple and easy, but the reliability cannot be guaranteed. If the DDNS service provider stops the service or the service is unstable, the user's VPN will not be able to run.
2. directory service dynamic VPN
Directory Service technology uses directory servers distributed in telecom data centers across China to form a directory server cluster nationwide. These servers store the hardware information and user information of each VPN device. When the VPN device connects to the Internet through dialing at startup, the dynamic IP address it obtains is automatically sent to the Directory Server, it also exists in the database of the Directory Server, and is the same as the VPN devices in the same group that require VPN establishment, at the same time, the VPN device regularly downloads the IP addresses of other members in the same group to the local device, so that the VPN can be established based on the current public IP address.
Take the Shanghai Ice Peak network directory service technology as an example. When the Ice Peak VPN device starts, PPPOE dial-up is performed first. After the dial-up is successful, you can obtain the currently used public IP address, then, the system automatically searches for its built-in Directory Server LIST and exchanges data with the specified directory server based on the unique Ice Peak priority path algorithm. The data mainly includes the identity authentication of the VPN device, IP address registration and download
(1) Identity Authentication: first, the Directory Server authenticates the identity of the VPN device, compare the group information, node information, license information, and hardware feature information submitted by the VPN device with the device information library built in the directory server. If the information is consistent, authentication is performed.
(2) IP Address Registration: after confirming the identity, record the IP address of the VPN device to the address library of the Directory Server, if the authentication and address submission are completed for other devices in the same group as the VPN device, the current IP addresses of all VPN terminals are saved in the address library of the Directory Server.
(3) download an IP Address: Download the IP addresses of other devices in the same group as the VPN device. In this way, the VPN device knows the IP addresses of all other devices in the same group.
After that, the directory server will be notified every time the IP address of the device changes, and the Directory Server will then notify other devices in the same group of changes, the latest IP address list is saved on each device, and the synchronization of IP addresses ensures that the VPN network can automatically heal up to 10 seconds in the event of an exception.
At present, two domestic companies use the directory service technology to implement dynamic IP-based VPN devices. They are Shanghai bingfeng network companies such as: R5000H VPN Router price: 27000 yuan) and Shenzhen xunbo Information Technology Co., Ltd. such as NG500 VPN gateway ).
This type of IP address exchange through the Directory Server can effectively avoid the issue that the reliability caused by the dynamic Domain Name Service cannot be guaranteed and the recovery time is long.
VPN solution for dial-up ADSL
At present, the broadband access to the Internet through ADSL virtual dialing is favored by the majority of domestic enterprise users because of its relatively high speed and economy. Therefore, the dynamic VPN solution is universal and representative in the dialing ADSL, this solution is more practical, so this article only introduces dynamic VPN based on dial-up ADSL.
At present, some enterprise branches have fewer PCs, or even only one. If a hardware VPN device is invested in a single machine, it is undoubtedly unnecessary for some users, and capital investment will also bring burden, these users also need to connect to the headquarters to achieve remote system interconnection. Just like the questions raised by netizens at the beginning of this article, a remote PC is needed to connect with the company. In this case, we can choose to provide VPN hardware devices, VPN Client software manufacturers, VPN hardware devices as VPN servers, and client software as VPN clients. Below we will introduce the above two dynamic ip vpn implementation solutions, both of which are a combination of "VPN device + VPN Client software.
1. DDNS-based Dynamic VPN case
1) hardware equipment-network parts FVS338 VPN firewall quotation: 4900 yuan) Figure 1)
FVS338 is a multi-functional and cost-effective VPN firewall product that combines routers, switches, VPNs, and firewalls. 266 MHz processor, 16 Mb memory, 32 Mb flash memory. 8 10/100 Mbps adaptive LAN ports and 1 10/100 Mbps adaptive WAN port. Supports 50 dedicated IPSec VPN tunnels. Supports static and dynamic RIP v1 and r1_2 routes. Supports advanced status packet detection (SPI) firewall technology. Supports the complete domain name (FQDN) technology for VPN connections with dynamic IP addresses. The US network company innovatively adopts the FQDN technology and is bound with the domestic famous peanut shell dynamic Domain Name Service. Users can use the dynamic domain name resolution service of peanut shells to access through the dynamic IP address ADSL, it significantly reduces the cost of establishing a VPN network and becomes the preferred technology for VPN solution providers in multiple branches of small and medium-sized commercial networks in China. Other protocols and functions include NAT, ICMP, PPPoE, DHCP, and DMZ. It can be said that this device
2) software-netgear vpn Client software diagram 2)
NETGEAR's Prosafe VPN Client software provides easy setup and seamless compatibility with all the netgear vpn firewall product lines. It can also be compatible with other industry-leading IPsec VPN solutions. The VPN Client supports the VPN passthrough mode, which can be used to switch network addresses (NAT) devices.
Network Topology: Figure 3)
2. Dynamic VPN case based on Directory Service
1) hardware equipment-R800 VPN Router of Ice Peak network price: 6250 RMB) Figure 4)
R800 is a low-price ICEFLOW product launched by Shanghai bingfeng network based on the actual needs of small-sized enterprise users. It is specially designed for small-sized enterprises and small-sized branches with a small number of computers. It also integrates functions such as firewall, transmission, and encryption, allows you to set up a VPN on the Wide Area Network of the Dynamic IP address, and supports multiple access modes such as ADSL, CABLEMODEM, optical fiber, and fixed IP address. 15 thousand concurrent session connections, 2000 new sessions per second, and 50 VPN channels supported. 200 MHz CPU, 32 M memory, 32 m flash memory. One 100 m wan port, one 100 m lan port, and one Console port. Supports unique "Fingerprint Authentication" of Ice Peak Directory Service Security Authentication and IP address exchange through the reliable ICEFLOW protocol. Exchange Dynamic IP addresses using the reliable ICEFLOW protocol. The built-in basic dynamic packet filtering Firewall supports Static Routing.
2) software-ICEFLOW Security Software Package 5)
Alibaba Cloud has developed a software client that complies with the PPTP and SSL protocols. This is applicable to an application environment where only one mobile user needs to establish a VPN with the headquarters. It can communicate with VPN Router gateways, support various network access methods, and support NAT traversal. The software operation is completely transparent to users, and the user's network configuration does not need to be changed. You only need to install the client program on the client PC. It can also be used with the ISK technology to provide stronger security for single-host and user mobile access. Without the need for a fixed ip address on the router, the client can perform stable ip resolution through the directory service protocol. You can automatically download the route entries on the vro.
Network Topology: Figure 6)
Summary:
For small enterprises with limited financial resources, the VPN Network Based on Dynamic IP Broadband Access is undoubtedly the best and most economical way. It is manifested in the low cost of VPN devices, low cost of lines, and easy setup and maintenance of devices, all of which are based on graphical visual interfaces. The VPN is not compromised and can support enterprise-level IPSec VPN. Therefore, it is guaranteed in both economic and security aspects. Most VPN devices are actually broadband access devices, which can be used for Internet access, firewall functions, and multi-purpose devices. The key is that the price of such devices is not high. Therefore, when purchasing such equipment, enterprises should not make repeated investments. It is best to purchase a VPN firewall or VPN Router in one step. In the two cases introduced in this article, the author thinks that the first one is more suitable for the needs of netizens at the beginning of this article, and its total cost is less, in addition, the latest firmware of the Network supports the domestic famous DDNS service provider-Domain Technology's peanut shell client software. Based on the author's years of experience with peanut shells, its operation is relatively stable and trustworthy.