Small Office VPN Solution

cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
I have a client who purchased a Linksys RVS4000 in hopes of gaining VPN access to their network. The device looked to be decent until you get to the VPN Configuration. You can only use their QuickVPN Client if you want to authenticate, it gives you no details on the configuration of the IPSec tunnels, etc, and is basically becoming a pain in my neck. What other options are there for VPN Solutions? I hate to even ask but I am intimately UNFAMILIAR with VPN technology.

Also, when we did establish a connection to the network with this VPN Client, it did not recieve an IP address from the internal network, which I would swear is the way I have seen it when I have used VPN clients in the past. But like I said, don't know much if anything about them.

icon_confused.gif

Comments

  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    The quickVPN client can be quirky. Did you follow the instructions?



    I have used it on our RV082 without issues (other than me not following instructions). A quick google search fixed it :)




    As far as other firewalls, if I were replacing firewalls today, I would look at something with SSL VPN as the option so that the users can seamlessly pass through most any firewall setup in the field.


    I think Sonicwall makes SSL VPN devices but thats the end of what i have done as far as SSL VPN research.


    Other vendors that might be worth looking into (in no particular order)

    -Fortinet
    -Zyxel
    -Nortel
    -Cisco
    -Netgear
    -Dlink
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    How about the IP addressing issue? Is this normal? Is this a security risk?

    The VPN client remoted into one of the servers. I was simultaneously logged into the server watching connections with netstat -n 1. That client connected with it's original IP address, not the internal 10.X.X.X that the internal network runs. Is this normal/desirable? I would swear that in the past that as a VPN client I would be assigned an internal IP...
  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    Hmm... You know I am not sure about that question.



    Usually your PC on the users end of the tunnel will get an IP from the VPN device that is on the local lan (unless you have some higher-end appliance with special routes and everything). I know in the past the client was given a local IP......
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    phreak wrote:
    Hmm... You know I am not sure about that question.



    Usually your PC on the users end of the tunnel will get an IP from the VPN device that is on the local lan (unless you have some higher-end appliance with special routes and everything). I know in the past the client was given a local IP......


    I knew I wasn't nuts. Just another reason for me to believe this particular device is a piece of crap. Thanks brother. I will continue researching VPN devices...
  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    If you are up for it maybe check here?

    http://www.linksysinfo.org/index.php



    I'd really start digging into your problem but it gets a bit distracting when I am watching some CBT's... lol
  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    No problem. Like i said I use the RV082 at our main office and branch office.


    I have an IPSec VPN between main and branch..... before I got a second 082 for the branch, I had the 042 there running IPSec VPN and no problems there.


    The 082 is beefier in that the processor is faster and i think it has more ram. Its a decent box for what it can do. If I had my druthers and could do it over, I'd put in monowall instead. I don't hardly ever VPN into the shop, the users are not allowed VPN onto our office network from home. Really its just there to tie the branch office in.


    I recently set up my monowall box that i have for our sales team as they are away on a conference in Vegas right now and I want them to be able to check their email and surf the web with some security. The box is not connected to any internal connection. They just connect to it and force the traffic over the internet to the box and then come back out onto the Internet. The chances of someone sniffing the network on this end is far less than someone sniffing it in Vegas on their end :)
  • SchluepSchluep Member Posts: 346
    As phreak mentioned I would definitely consider looking at the SSL VPN solutions as well. Don't limit yourself to just IPSec. A lot of the SSL options are nice since they can avoid many of the NAT/Firewall issues you have to play with during configuration and often don't require client based software (web browsers obviously have SSL capability).

    I personally have liked the Juniper SSL VPN solutions. You can read about what they have available at https://www.juniper.net/products_and_services/ssl_vpn_secure_access/index.html. They integrate very well with other network devices and have several different products available.

    The Juniper Secure Access 700 provides an inexpensive SSL VPN solution for smaller companies. There are more expensive ones available depending on your needs, but the description you gave makes it sound like your client is a fairly small company.
  • livenliven Member Posts: 918
    I am sure I will get flamed for this but there is always openvpn...
    encrypt the encryption, never mind my brain hurts.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    phreak wrote:
    Hmm... You know I am not sure about that question.



    Usually your PC on the users end of the tunnel will get an IP from the VPN device that is on the local lan (unless you have some higher-end appliance with special routes and everything). I know in the past the client was given a local IP......


    I knew I wasn't nuts. Just another reason for me to believe this particular device is a piece of crap. Thanks brother. I will continue researching VPN devices...

    The VPN's I have used retain their originating IP address from wherever they are located, but the VPN software essentially creates a static route of 0.0.0.0 pointing to the VPN tunnel. Then, depending on the setup, once you are tunneled through to your LAN, any traffic exiting the LAN (say for Internet access) will be nat'ed to appear to originate from the LAN - possibly using the gateway/firewall IP. Otherwise your traffic would be lost in cyberspace.

    If my explanation doesn't make sense, then just take my short answer as "What you are seeing is normal".
    All things are possible, only believe.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    liven wrote:
    I am sure I will get flamed for this but there is always openvpn...

    Dude, why are you on fire? icon_clown.gif
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Schluep wrote:
    As phreak mentioned I would definitely consider looking at the SSL VPN solutions as well. Don't limit yourself to just IPSec. A lot of the SSL options are nice since they can avoid many of the NAT/Firewall issues you have to play with during configuration and often don't require client based software (web browsers obviously have SSL capability).

    I personally have liked the Juniper SSL VPN solutions. You can read about what they have available at https://www.juniper.net/products_and_services/ssl_vpn_secure_access/index.html. They integrate very well with other network devices and have several different products available.

    The Juniper Secure Access 700 provides an inexpensive SSL VPN solution for smaller companies. There are more expensive ones available depending on your needs, but the description you gave makes it sound like your client is a fairly small company.

    The quote I got for this just now bums me out a little bit. Company is looking for el-cheapo, this quote for 10 users is around $2K. That's only one company but they probably aren't going to go for that. I looked at this product and really liked it. icon_sad.gif
  • SchluepSchluep Member Posts: 346
    The quote I got for this just now bums me out a little bit. Company is looking for el-cheapo, this quote for 10 users is around $2K. That's only one company but they probably aren't going to go for that. I looked at this product and really liked it. icon_sad.gif

    I have used them before and they are definitely great products. A Security Consulting Firm that I just started doing some side jobs for has a large number of clients using them and I am planning on picking up the certifications for the Juniper SSL VPN, Firewall, and IDP products soon so I am more comfortable working with them. I had no idea what the price or your number of users was when I recommended it, but it is pretty slick.

    I really don't know much about smaller options other than Linksys and the other companies mentioned by phreak in his second post. Definitely let us know what you come up with.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You might want to give these a look as well: http://www.astaro.com/

    They sponsor the Security Now! podcast. They'll send you out a free unit for 30 days.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    The other two I kind of like that they MAY go for are:
    SonicWall SSL-VPN 200 - $400ish
    Netgear FVS336G - $400ish


    These don't appear to be nearly as slick as the Juniper solution, however. I'm kind of partial to the Junipers anyway because of the amount of Juniper equipment on the network here. ISGs, M40s, yada, yada, the list goes on.


    Anyway I'm hoping to avoid the LinkSys, etc. Man that thing is a real turd. Hopefully they took it back already.
  • hypnotoadhypnotoad Banned Posts: 915
    No Cisco PIX 501/506 fans in the house? Or even ASA 5501 fans?
  • phreakphreak Member Posts: 170 ■■□□□□□□□□
    Just one thing I thought I'd throw out there. Don't forget that depending on what is passing over the VPN the applications might be a bit slow. That is why you have accelerators on the PIX series and I am sure on the Junipers as well.... i believe it provides payload compression and acceleration to keep the applications running smoother.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    phreak wrote:
    Just one thing I thought I'd throw out there. Don't forget that depending on what is passing over the VPN the applications might be a bit slow. That is why you have accelerators on the PIX series and I am sure on the Junipers as well.... i believe it provides payload compression and acceleration to keep the applications running smoother.

    Nothing too complex to my knowledge, just access to files and email and RDP for server administration I believe.
  • Aquabat [banned]Aquabat [banned] Inactive Imported Users Posts: 299
    nl wrote:
    No Cisco PIX 501/506 fans in the house? Or even ASA 5501 fans?

    5501? lol

    im a fan, but not for a kid trying to vpn to his house lol
    i herd u leik mudkips lol
Sign In or Register to comment.