Site-to-site VPN

  • 2
  • Question
  • Updated 3 years ago
  • Answered
Is it possible to do Site-to-site VPN with CVGs or APs?
Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes

Posted 6 years ago

  • 2
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Yes. The HiveOS VA (formerly called CVG) is intended to behave as an IPSec VPN concentrator for our BR line or selected APs that can act as BRs.
Photo of Erick Muller

Erick Muller

  • 35 Posts
  • 8 Reply Likes
Sweet!, thank you very much Mike for your reply. Great solution for small businesses!
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
And it works really good too!
Photo of Kenny

Kenny

  • 1 Post
  • 0 Reply Likes
Can an AP350 function as a VPN Gateway?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Kenny,
Sorry, but at this point in time the AP330/350 and BR100/200 can only act as tunnel initiators, not responders. We do have intentions to bring that functionality to most of these platforms, possibly as early as this summer. The BR100 will remain as a tunnel initiator only; it is resource constrained in order to keep it's price down.
Photo of Patrick Gahan

Patrick Gahan

  • 4 Posts
  • 0 Reply Likes
as it's related to the same topic, thought I'd post here too. We have customers using CVG @ head office, then BR200 (with PoE) at Branch plus multiple APs at each branch also. It's a really great small office setup and you can simplify the IP allocations easily. So, for example, allocate a /16 network for all branches and have each branch (BR200) grab itself a /26 subnetwork off that /16. Once you have it setup right on HMOL (or VHM) then provisioning a working branch network takes no time at all :-)

One question I have, is can we connect from the CVG down the tunnel to the Branch hosts? for example, to run PC audit software down the tunnel to the remote sites? BR200 to CVG works fine over the VPN, but I have struggled to get traffic initiated in the opposite direction.
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Patrick,
Are you asking if the CVG can initiate a tunnel towards the BR200, or if session initiation can occur from the LANs attached to the CVG towards the LANs attached to the BR200 once a tunnel is established?

No to the former, and yes to the latter. You need to set up the other routers at your facility with the CVG to statically to use the CVG as the gateway for the entire /16 allocated to branches, or to exchange routing via a dynamic protocol such as OSPF.

Did this answer your question, or just dance around it restating what you already knew?
Photo of Patrick Gahan

Patrick Gahan

  • 4 Posts
  • 0 Reply Likes
Thanks Mike, I was thinking of the latter, so you have confirmed what I thought should be possible... Indeed I have the whole /16 branch network routed to the CVG (which is on a DMZ) though rather than encrypting the traffic, the CVG appears to be sending it unaltered back to the firewall DMZ port...

Sounds like I've got some more digging to do!

Thanks again
Photo of Scorpio_1899

Scorpio_1899

  • 11 Posts
  • 0 Reply Likes
How about cvg HA. Can we have high availability with cvg. What Would we be the best approach to have HA setup. Can anyone explain on this or rather experienced settingg up one. Please share.
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
I too would like to see HiveOS-VA High Availability feature. Maybe a simple HSRP-like approach will suffice for phase 1 of feature. This will apply to only single Data Centre approach.

BR100/BR200 High Availability feature will also be quite useful for any sites with dual WAN feeds. Teleworker sites will leverage WAN / 3G/4G approach.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Virtual Router Redundancy Protocol (VRRP); RFC 5798; could be another option as it is an open standard rather than a Cisco proprietary protocol, like Hot Standby Router Protocol (HSRP). VRRP is extremely easy to implement and is already utilised by other wireless vendors so has a track history.
Photo of Tommy Byoung Jun Kang

Tommy Byoung Jun Kang

  • 4 Posts
  • 0 Reply Likes
Can I create a L3 VPN tunnel between BR200 and AP330?
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
As Mike stated already, no. You need a CVG (now called HiveOS VA). BR200 and AP330 can only initiate and not respond.
Photo of Corey

Corey

  • 6 Posts
  • 0 Reply Likes
Can a CVG initiate a tunnel to another CVG?  We're using some sites with >100Mbps WAN links and need more VPN capacity than the BR200 can provide.  We were thinking to try using a CVG on a vhost at the remote location to build a tunnel to a CVG at our Data Center.  Is that possible?  Planned feature?