PDA

View Full Version : Hardware VPN router...




HackerJL
May 19, 2010, 05:48 PM
Good day everyone, I have a few clients that are looking to replace their current 5 year old router and I have kind of sold them on a VPN for remote access instead of punching holes through the firewall for VNC, RDP, etc, which scares the hell outta me. I am looking for suggestions on a router that is standard VPN (the reason I say standard is I am fighting with xauth on a sonicwall and trying to connect mac/linux to it without the need to purchase software. ). The client will be running their mix of windows/mac and I would like to connect without the need of extra software. (IPSEC, PPTP, etc) I need this to be easy enough that once the router setup is done, the client can configure their own network connection in windows/mac.

I have been out of the retail space for a while, but I do see a few VPN routers from netgear, linksys etc. I do not want to break the bank, my clients are generally not looking to spend over $200 on a device. Should it work the way they want/need with the ease that I can promise them, they may go larger scale and connect their few offices together, but most routers would support that if they have VPN in them at all (from what I see).

Any suggestions, I would be very much open to them.

and....why doesnt the $200 airport extreme not do this?



Silencio
May 19, 2010, 06:49 PM
Which SonicWall device are you currently trying to use?

Being forced to retire a fleet of aging Netopia routers, I've been rolling out SonicWall TZ-200s running SonicOS Enhanced. Once you get the configuration down, and it's not exceedingly difficult to do so, VPN connections over L2TP are pretty straightforward. Don't need any extra software on the client side, at least for Mac OS X clients, and the VPN performance is light years faster and more stable than what the Netopias could do.

Unfortunately the TZ-200 is about $400 from most online retailers, but after reading too many bad reviews of the $200-ish Netgear and Cisco options, I think the SonicWall is worth the extra money.

mbestel
May 19, 2010, 06:56 PM
Draytek modem/router devices have VPN support built in.

I'm not sure whether it is hardware accellerated or just software in the device, but it works pretty well for me with up to 8 connections.

Cheers,

Mark

HackerJL
May 21, 2010, 09:06 AM
Which SonicWall device are you currently trying to use?

Being forced to retire a fleet of aging Netopia routers, I've been rolling out SonicWall TZ-200s running SonicOS Enhanced. Once you get the configuration down, and it's not exceedingly difficult to do so, VPN connections over L2TP are pretty straightforward. Don't need any extra software on the client side, at least for Mac OS X clients, and the VPN performance is light years faster and more stable than what the Netopias could do.

Unfortunately the TZ-200 is about $400 from most online retailers, but after reading too many bad reviews of the $200-ish Netgear and Cisco options, I think the SonicWall is worth the extra money.

I would love to use sonicwall, I have heard a lot of good things about them, so maybe let me try to explain what isnt working.

I have a mac pro server as dhcp server, afp, etc, running behind the sonicwall. The current situation is using xauth on the vpn, which requires vpn tracker software, and its a little stupidly priced (I took over the site's IT, and the software wasnt included). So if I configure L2TP on the sonicwall, what IP range do I give it? I tried several ranges, but does this come from the sonicwall or does it need to be passed to the DHCP server to supply. Otherwise, I try to connect with any mac, wont allow to connect. Shouldnt it be that easy?

joelypolly
May 21, 2010, 10:35 AM
I am confused as to what you actually need. It looks like you want to give clients a router with VPN enabled and then have them configure VPN access again on their own machines which is redundant if the router is already connecting.

All you really need is VPN server software and the ability for clients to connect to your server via the VPN's required port.

HackerJL
May 21, 2010, 10:42 AM
I am confused as to what you actually need. It looks like you want to give clients a router with VPN enabled and then have them configure VPN access again on their own machines which is redundant if the router is already connecting.

All you really need is VPN server software and the ability for clients to connect to your server via the VPN's required port.

Yes, I can see how I made that look...my bad.

I will have individual offices have a VPN, and then the laptop/home computers they want to connect into work to get access to the services/programs. Some offices will want inter-connected with another remote office, so then the vpn router to vpn router would come in handy...but never for the same thing.

That make sense now?

joelypolly
May 21, 2010, 11:27 AM
Makes sense now.
You will need site-to-site VPN configured for the routers to your server this will link the offices and will most likely be a full-time connection. This will also involve setting up routes so that the two networks can talk to each other.

For client laptops/PC a separate VPN server needs to be setup to hand out IP addresses and handle authentication.

Alrescha
May 21, 2010, 02:21 PM
For client laptops/PC a separate VPN server needs to be setup to hand out IP addresses and handle authentication.

Unless hardware VPN solutions have declined significantly in recent years, the box that handles site-to-site VPN should be able to handle each office's client connections as well.

Many products offered from year 2000 and onward could do this (Nortel, Timestep, etc).

A.

joelypolly
May 22, 2010, 03:27 AM
Yes sorry what I meant was separate VPN connection and not server.

cookieme
May 22, 2010, 03:03 PM
Hi HackerJL!

I would advise you to get a proper enterprise grade firewall with VPN capability and built in switch ports if your clients value security. I can say from experience that consumer products such as Netgear's FVS338 is NOT something that you should be looking at.

EDIT: I've re-read the thread and I think I understand what you are looking for.

You want branch offices to have a persistent secure connection to the main office and thus each other. Solution: Site-to-Site VPN.

You want home users to access their office network. Solution: Remote Access VPN (also called dial-up VPN).

You can accomplish both of these scenarios with the following. I suggest that you look at the Cisco ASA 5505 firewall for the main office. This is an awesome device that has all the enterprise features found in much much more expensive Cisco firewalls and is their "cheapest" model. It has 8 ports, VPN capability compatible with Windows and Mac, SSL VPN so you don't need any software and lots of other features.

For the branch offices, I'd look at the Cisco Integrated Routers such as 857 or 877 (if you need WIFI you get an 857W or 877W same as 857 or 877, but with WIFI). These have built-in ADSL modems (if your clients have ADSL broadband connections) so you don't need the ISP's supplied modem. In addition, they have VPN capability, firewall etc. The firewall differs from the ASA 5505 in that you need to configure rules for what to allow in and out etc whereas the ASA which stand for Adaptive Security Appliance actually dynamically knows what to allow and disallow, but of course you can configure specific rules for that too.

Hope this helps!

hmmfe
May 23, 2010, 01:57 PM
The current situation is using xauth on the vpn, which requires vpn tracker software, and its a little stupidly priced (I took over the site's IT, and the software wasnt included).

Maybe not where you are going with this but we've been using IPsecuritas for years. It is free and supports xauth just fine works with any of the firewall/VPN appliances I've used.