VPN Woes
-
I've worked with VPNs for a long time, using them to get work done out of the office or at home instead of having to drive to the office. With our new training center getting going, we were trying to get some type of VPN setup to allow remote development and make that our primary test environment for SQLServerCentral.com.
We have a few servers going in, but they will be domain controllers for our small network and the idea of using one of them as a VPN server, exposed to the Internet, wasn't on top of our list. So Andy went looking for a small VPN router that we could place on our DSL line and give us an easy to deploy VPN solution.
I didn't get a chance to work either either of his choices, but from the long phone calls full of venting I gathered that neither was an out of the box solution. The first one didn't come with a client, instead having instructions for setting IPSec policies and altering the registry to get a connection. There was a client avaialable to handle this, but it required purchasing each client at a cost nearly that of the original router.
The second one came with a client that wasn't much better and didn't work on the first few tries. While Andy was struggling, I called my network expert, tearing him away from his CCIE studying for a few questions. Actually he wouldn't allow himself to be torn away, answering each email after a 2-3 day delay. His solition, which I've used before, was an SSH tunnel and local redirection of ports. It sounds more complicated than it really is, but with trying to explain this to a few contract developers, I'm not sure we want to go down this route.
So knowing that we have some very smart and talented IT pros out there reading my daily babble, we decided to take a little mid-week poll to see if anyone has experience with a SOHO or small office VPN solution. Cheap would be nice as our budget isn't up to the PIX level for this project.
Steve Jones
-
Steve,
I find this post very interesting as we have just gone through this process ourselves. Finding a VPN solution which is cost effective, easy to administrate and actually works is no easy task.
We had the same issues with running a VPN on one of our windows servers exposed to the internet. The other problem was that PPTP is not very secure and IPSec can be a bit of a nightmare to configure and to NAT through a firewall or router. So the search went on…. Finally we came across OpenVPN. It is an open source VPN solution which can be run on different platforms (Solaris, Linux, Windows & other UNIX’s)
OpenVPN is a single application that will run as either server/client based on what is defined in the configuration file. It is a SSL VPN solution, using server and client certificates. The solution is very easy to install, configure and is firewall friendly. You can use TCP/UDP on port 1194; this is the standard port but can be changed. So if you have an old machine around not doing much you can set it up with either a Windows or Linux firewall/gateway. Bearing in mind if you run windows you will have the cost of a windows licence.
If you are interested here is the OpenVPN url http://openvpn.net/ .
Craig Wilson
<st1
ersonName w:st="on">craigw@connection42.co.za</st1ersonName>Connection42
-
Well, the PIX solution doesn't have to be expensive; you can get a 501 with at least 10 user connections that includes the Cisco VPN software for 300-400 bucks (check Ebay). That's nice because the IOS config on a 501 is practically identical to that on a larger PIX, so it's easy to scale up as you grow up. You can implement this with RADIUS or use a built-in control list
Also, don't be so afraid of PPTP built into W2K (or even NT4); I've deployed this as well many times successfully since 1997 (on NT4, with the old Steelhead precursor to RRAS). You can find an old PII300, put 2 NIC's in it and W2K on it, install RRAS with PPTP on one side and NAT on the other and have a decent solution. There are more secure solutions to be sure, but this one isn't as bad as some would make it out if you cross all the T's, etc.
Thanks,
Brett Hacker
-
This looks interesting: http://www.hamachi.cc/
You will want to do full research on this before using as I haven't used it myself but i know people who have.
Cheers,
Liam(UK)
-
Steve,
My experiences showed me two things -
1) firmware upgrades are VERY important
2) telephone support staff needed to go to class.
Our solution was a Netgear FVL328 using their ProSafe VPN client (client has to be purchased separately).
Yes, IPSec VPN tunnels are more complex but once you work your way through them, they are remarkably stable.
We had two units, with different firmware levels and COULD NOT GET THEM TO WORK! until we brought both units up to the same, most current, firmware. After that, reading through the doco was an exercise in patience. I found a useful Configuration Guide at http://www.thegreenbow.com
Keeping IKE policies and VPN policies straight (and in that order) was a bit confusing at first, but stick with it. We also had to deal with some quirks of the firewall setup itself (what a surprise), but not insurmountable.
The other issue was proper sizing of Ethernet packets. Default is 1500, but this caused a LOT of fragmentation which seriously impacted performance. 1494 seems to be a good size for DSL.
Bottom line, stick with one vendor, as mixing and matching does not work at this stage of the technology, work your way through the 'thicket' of setup parms, and you too will see your tunnel up and running. IPSec VPN is not for the faint of heart!
Peter
-
You may want to look at Fortinet's product Fortigate 200A. It is inexpensive, handles firewall, vpn, virus protection and a whole lot more. It comes with a 10 user license. What makes this device a little pricy is the subscriptions for virus protection and spam blocking. None of that is needed for VPN. The VPN portion uses client side software which was very easy to install and configure.
We installed this device on our network and I can add VPN clients to our remote sites within a matter of minutes.
-
I've been in / out of this situation for several years myself. The best bang for the buck came from CheckPoint. And I tested a lot of solutions - particularly those including their proprietary client and IPSec config requirements.
The CheckPoint VPN-1 Edge connects to my Comcast cable modem just fine. If you do not have a dedicated IP assignment - the CheckPoint appliance will automatically detect and handle the routing / protection of your assigned IP (in this case, from Comcast).
If you do have a dedicated IP - as I do - then you have to configure the CheckPoint appliance as though it is on a LAN and there are additional information necessary to setup the connection - all of 3 minutes of work.
CheckPoint provides a 'free' CheckPoint SecureRemote client component that works very well. Additionally it has a robust set of config features that allow you to setup DMZ's (2 in my case) and route HTTP specific traffic, for example, to a specified server in the DMZ or LAN.
I picked up a VPN-1 Edge 16 node unit for less than $250 online (used) and I picked up a VPN-1 Edge XU (unlimited node) for less than a grand online.
This solution proved to be simple, easy to manage and it has not been breeched in over 4 years of using their VPN's.
Regards...
Michael Hamilton / Another Geek In Need...
-
Also, look into positive networks (http://www.positivenetworks.com).
They have a hosted VPN solution that is extremely easy to setup. All they do is install a piece of software on any pc (doesn't have to be a server) which will act as the "gateway/router". Then each client installs software in their pc. And that is it. It costs about $200/month and will cover 10 users. If you need more users additional licenses can be purchased. We just installed them in our offices and I have agents that are working in Alaska, and so far so good. We even use it for our VOIP solution. Our offices are in Miami.
It is a good alternative to hardware VPN solutions, specially if you don't have the manpower to maintain and setup a traditional VPN.
Sincerely,
Eli
-
I suggest you look into a Linksys WRT54GL Router (62.99 at http://www.newegg.com) and replace the factory firmware with the DD-WRT firmware from http://www.dd-wrt.com. The firmware is a free download and supports pptp connections out of the box. This router runs Linux internally and in one version can be configured to run the openvpn solution mentioned above. Make sure that you get the WRT54GL version of the router, not the WRT54G. The most recent version of the WRT54G ( v5 ) has only half the memory and cannot directly be upgraded with the DD-WRT firmware. There are many other possibilities with this platform as well. I have been using this solution with good results for a while. Keep in mind that the firmware change is likely to void your warranty, but for less than $75.00 you end up with a router that is nearly the equivalent of an $800 Cisco solution .... and if you don't want or need the wireless, just turn it off ...
-
I also have to suggest the PIX 501. It's only $419 from CDW (only around $270 more for unlimited users which you can upgrade to at any time, just have to buy the upgrade lic.), and you can find them cheaper if you look hard enough. I've personally used these with great success, both using them as endpoints and by connecting to them with Cisco's client. They are very easy to setup as you have the option of having a web app write the config for you so you don't have to do it via the cmd line.
Also I've used a 3com SOHO VPN appliance that wasn't too bad, however I didn't really like the client utils for that one.
-
We are also using OpenVPN quite successfully in our office. We originally bought a Linksys router with built in vpn functionality but had a lot of difficulty trying to configure it to work the way we wanted it to. OpenVPN was much more flexible and easy to configure, and the bonus being that it is a free download,
Andrew
-
I have just implemented VPN at our offices and I used the CISCO ASA 5510 router. It comes with a client and works really well. There were only two issues that I had. One was that we use Panda Antivirus - their 2005 version would crash the system trying to link onto the VPN router; so we tried the 2006 version and everything worked great. That was not the VPN clients fault - it was the antivirus. The other issue is that I am more of a database person so port routing was a little difficult (as we had to have open ports for other outside applications that talk to various servers). It is best to use the command line interface to program it - but they do have a nice gooey interface as well. It cost me about $2000 + the time to install and configure, so for a smaller company it works great.
-
Do you have any experience with http://www.logmein.com
Would a service like this meet short term needs?
-
I've used identical pairs of Linksys routers several times with great success. They are not hard to setup, they stay setup and they make it easy to map several computers in the same local domain to a foreign resource. The cheap ones are under $100 and support 2 VPNs, the $400 models support about 25 VPNs.
Student of SQL and Golf, Master of Neither -
Not sure is this helps or is quite what you are looking for but this ADSL router has VPN built in and I have personally used it to connect to another older router of the same make. In addition, I also used it with a Windows VPN at the remote site. It is cheap and very easy to set up. Good at recovering from power outages and has some other nice additions such as firewall, P2P support and a decent WLAN.
Viewing 15 posts - 1 through 15 (of 36 total)
You must be logged in to reply to this topic. Login to reply