User questions: I am a network rookie, our company formed a local area network, now in the company about 12 kilometers to set up an office, now need to have a new computer access to the company's local area network to share the database. What kind of connection do you think it is convenient to use? Wireless, Wired? It's best to connect over the Internet, which costs more.
This is obviously a long-distance networking problem, in fact, the problem of netizens also put forward three kinds of programs: wireless, wired, Internet, we to one-one analysis.
Programme one: Wireless
Wireless Bridge is one of the most popular technologies in long-distance networking. In the combination of high power wireless bridge and highly-gain directional antenna, the transmission span may reach 50 kilometers. But this has an important prerequisite, is the directional antenna to be able to "view", there is no barrier between. Now in the city of high-rise buildings, even if now visible, guaranteed no one day, an abrupt building block in the line of sight, the wireless bridge scheme will not be guaranteed. (Computer science)
Programme II: Wired
The cable scheme must only Buchan fiber for a distance of 12 kilometers, which is more expensive and time-consuming. You don't have to think about it.
Programme three: Internet +vpn
The internet can be said to be a common wan, a large number of telecommunications operators to establish a wide range of long-distance network, which is our enterprise to use the network of telecommunications companies to achieve the company's total branch networking provides the possibility. In particular, because of the current broadband access to the Internet, the cost is relatively low, a great place for our corporate total enterprise network requirements. As long as we choose the right technology, we can achieve a long distance between the total corporate LAN network.
The appropriate technology is the VPN (virtual private network). VPN uses special "tunneling technology" to connect two remote computers on the internet, just like a local area network. This avoids the expensive networking approach of the telecoms company's WAN line, which can be networked as long as the broadband access mode is available. Therefore, broadband access to the Internet to do corporate networking is technically feasible, cost of the economy.
From the above analysis, we can draw the conclusion that through the Internet +vpn to realize the long-distance interconnection of enterprise organizations is the best solution of the current enterprise networking. But in the specific implementation, we have to adopt the appropriate technology to achieve. These technologies will include: Dynamic IP, VPN, ADSL and so on.
Implementing VPN on Dynamic IP
The traditional internet-based VPN solution requires a fixed IP at both ends of the VPN server and the client, or at least a fixed IP on the server side, and the client uses dynamic IP. The cost of fixed IP will dramatically increase the cost of using broadband access. This adds to the burden on small businesses and limits the use of VPNs. This is to make people think of the possibility of using dynamic IP to real VPN networking. There is a need to use a new solution, that is, "based on dynamic IP broadband access VPN Solution", which makes limited financial resources, the size of VPN networking is not very large small enterprises can also build VPN networking. VPN server does not have fixed IP, every time from dial-up IP address is different, to enable VPN clients to find a VPN server, it is necessary to solve the VPN server IP addressing problem, that is, how to make dynamic IP and fixed servers and clients associated, "curing" their relationship, This is the key technology of VPN implementation based on dynamic IP.
For dynamic IP VPN application environment, the VPN equipment manufacturer provides two kinds of representative technology solutions, namely DDNS dynamic VPN and directory service dynamic VPN.
1. DDNS Dynamic VPN
Friends who have played peanut shells know dynamic Domain name resolution technology (DDNS), we can apply to provide DDNS service provider of a level two domain name, user name and password, and in the use of dynamic IP access to the Internet devices (broadband routers, VPN firewalls, Computer) Set this static domain name and username, password, etc., when dial-up access, the Internet users can access this domain name, regardless of what it was the dynamic IP is what.
VPN devices (both server-side and client) are required to establish VPN communications through the DDNS service, install DDNS client software on the VPN server and VPN clients, and fill in the domain names, user names, and passwords that they apply to. When their dynamic IP address changes, the DDNS client software automatically updates its current IP address by verifying it on the DDNS server. Therefore, when a VPN client initiates a call to the VPN server and requires the VPN virtual private network connection to be established, the VPN server's domain name is resolved by DDNS to the current legal IP address of the VPN server, which allows the connection to be established.
At present in the market claims to be able to use dynamic IP to establish VPN VPN devices are mostly based on DDNS technology to achieve dynamic IP "curing", which is also one of the most common dynamic VPN solutions, but also the cheapest VPN solution. These VPN devices themselves are gateway devices that perform the NAT feature of broadband shared access, most of which are integrated with a Third-party DDNS service provider's client software inside the machine. such as Network (NETGEAR) company's VPN products FVL328 VPN firewall on the integration of the network domain company's Peanut shell DDNS client.
VPN based on DDNS is easy to do, but the reliability is not guaranteed, if the DDNS service provider stops the service or the service is unstable, the VPN to the user will not run.
2. Directory Services Dynamic VPN
Directory services technology through the distribution of the local telecommunications room directory servers, in the country to form a directory server cluster. These servers store the hardware information of each VPN device, user information, when the VPN device is switched on to the Internet, it obtains the dynamic IP will automatically send to the directory server, and there is a directory server database, and it needs to establish VPN with the same group of VPN devices, At the same time, the VPN device will periodically download the IP address of the other Members belonging to one group to the local, so that the VPN can be established according to the current public network IP.
Taking the directory service technology of Shanghai Bingfeng Network as an example, when the Bingfeng VPN device starts, the first PPPoE dial-up, after the successful dial-up, you can get the current use of the public network IP, and then automatically search its built-in directory server list, after Bingfeng unique priority path algorithm, with the specified directory server for data exchange, The data mainly includes the VPN equipment authentication, the IP address registration and the IP address downloading three parts
(1) Identity authentication: First of all, the directory server will be the identity of the VPN device authentication, and the directory server built in the device information base than the VPN equipment submitted to the group, node information, license information and hardware characteristics of the information, compared to the same pass authentication.
(2) IP Address registration: After confirming the identity, the IP address of the VPN device is logged to the address library of the directory server, assuming that other devices in the same group as the VPN device also complete the authentication and address submission, the current IP address of all VPN terminals is saved in the directory server's address library.
(3) IP address Download: Downloads the IP address of other devices that are in the same group as the VPN device, so that the VPN device knows the IP address of all other devices in the same group.
After this, every time a device IP address changes are notified to the directory server, the directory server will again notify the same group of other devices, so that each device has been kept on the latest IP list, while the IP address synchronization to ensure that the VPN network in the event of abnormal, up to 10 seconds of automatic healing.
At present, there are two domestic companies to produce VPN equipment using directory services technology to implement the VPN based on dynamic IP, they are Shanghai Ice Feng Network company (such as: r5000h VPN router quotes: 27000) and Shenzhen Xun Bo Information Technology Co., Ltd. (such as: NG500 VPN gateway).
This kind of IP address Exchange through the directory server can effectively avoid the problem that the reliability which the dynamic Domain Name service method produces cannot be guaranteed and the recovery time is long.
Dial-up ADSL VPN Solution
At present, through ADSL virtual dial-up broadband access to the Internet because of relatively high speed and the economy by the vast number of domestic enterprise users love and adoption, so the dynamic VPN scheme based on Dial-up ADSL has universality and representativeness, such a scheme is more practical significance, Therefore, this article only describes the dynamic VPN based on Dial-up ADSL.
At present, some of the branches of the enterprise PC less, or even only one, if the device to put hardware VPN, for some users, undoubtedly unnecessary, financial input will bring burdens, and these users also need access to Headquarters to achieve remote system interconnection. As the beginning of this article, the user raised the question, need a remote PC and head office network. Such requirements, we can choose to provide VPN hardware devices, but also provide VPN client software manufacturers of products, to VPN hardware devices as the VPN server, client software as a VPN client. Below we will promote the above two kinds of dynamic IP VPN Implementation scheme matching scheme, are "VPN device +VPN client software" combination.
1. A dynamic VPN case based on DDNS
(1) Hardware equipment--net piece FVS338 VPN Firewall (quote: 4900 yuan) (Figure 1)
FVS338 is a multi-functional, cost-effective VPN firewall products, it sets routers, switches, VPNs, firewalls in one. 266 MHz processor, 16Mb RAM, 32Mb flash memory. 8 10/100 Mbps Adaptive LAN port, 1 10/100 Mbps Adaptive WAN port. Supports 50 dedicated IPSec VPN tunnels. Supports static and dynamic RIP v1, RIPv2 routing. Advanced stateful Packet Detection (SPI) firewall technology is supported. Full domain name (FQDN) technology that supports VPN connections for dynamic IP addresses. American Network Company Innovative use of the FQDN technology, and the domestic famous peanut shell dynamic Domain Name Service bundle, users can through the peanut shell dynamic Domain name resolution services, using dynamic IP address ADSL access, significantly reduce the cost of building a VPN network, Become the preferred technology of the VPN solution provider for the domestic small and medium sized commercial network multiple branch offices. Other protocols and features include: NAT, ICMP, PPPoE, DHCP, DMZ, and so on.
(2) Software--netgear VPN client software (Figure 2)
NETGEAR's Prosafe VPN client software provides easy setup and seamless compatibility with all NETGEAR VPN firewall product lines. can also be compatible with other industry-leading IPsec VPN solutions. VPN Clients support VPN pass-through mode, which can traverse network address translation (NAT) devices.
The network topology diagram is as follows: (Figure 3)
2. A dynamic VPN case based on directory services
(1) Hardware equipment--Bingfeng network R800 VPN Router (price: 6250 yuan) (Figure 4)
R800 is a low-cost Iceflow series based on the actual needs of small business users in the Shanghai Bingfeng Network, designed for small businesses with smaller numbers of computers. It also integrates the firewall, transmission and encryption functions, can be in full dynamic IP wide-area network set up VPN, while supporting ADSL, cablemodem, optical fiber, fixed IP and many other access methods. The number of 15,000 concurrent session connections, 2000 new sessions per second, and 50 VPN channels are supported. 200MHz cpu,32 m memory, M flash. 1 m Wan port, 1 m LAN port, 1 console port. Support Bingfeng Unique "Fingerprint Authentication" directory service security certification, through the Iceflow reliable protocol for IP address exchange. Dynamic IP address Exchange via iceflow reliable protocol. Built-in basic dynamic packet filtering firewall, support static routing.
(2) Software--iceflow security package (Figure 5)
The Bingfeng Network has developed a software client that complies with the PPTP and SSL protocol standards to suit the application environment where only one and mobile users need to establish a VPN with headquarters. Can communicate with VPN router gateway, support all kinds of network access mode, support NAT traverse. Software running on the user performance is fully transparent, the user's network configuration also need not make any changes, just install the client on the client PC. It can be used in conjunction with the identity authentication ISK technology to provide stronger security for single machine and user mobile Access. Without a fixed IP router, the client can perform a stable IP resolution through the Directory Service protocol. You can automatically download routes on the router.
The network topology diagram is as follows: (Figure 6)
The VPN network based on the dynamic IP broadband access is the best and the most economical way for the long-distance networking between the total agencies of the small enterprises with limited financial resources. It is displayed in the VPN equipment cost is low, the line cost is low, the equipment setup maintenance is relatively easy, is based on the graphical visual interface. The VPN built is not compromised and can support enterprise-class IPSec VPNs. Therefore, the economy and security are guaranteed. Most of the VPN equipment is in fact a broadband access device, can assume the Internet access of enterprises, as well as firewall functions, a machine more use, the key is that such equipment price is not high. Therefore, enterprises in the procurement of such equipment to be careful not to repeat the investment, the best one-step, buy VPN firewall or VPN router. In the two cases, the author thinks the first one is more suitable for the user's needs in the beginning of this article, its total cost is less, and the latest firmware of the net support domestic famous DDNS service provider---------------------------------The Peanut shell client software, according to the author years of experience in peanut shells, it Worthy of trust.