#243109 - 04/12/2004 21:47
Re: VPN Help
[Re: image]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: if you have a WINS server still, setup the vpn connection to use that.
That's a good idea, too. I tried that, too, didn't work either.
|
Top
|
|
|
|
#243110 - 05/12/2004 17:07
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Answer to name resolution issue appears to be this. Since we may not be sticking with this VPN method at all (we might do the VPN endpoint box in a DMZ instead, meaning we'd be using L2TP instead of PPTP), I might not need to try the solutions listed in that article. But it's good to have that article handy for now.
|
Top
|
|
|
|
#243111 - 07/12/2004 18:54
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Okay, I'm seriously looking at doing Bitt's "super secret option 4" and putting a VPN endpoint on a DMZ or a port-forward in the network. I'm having trouble locating a proper box that will do the trick. It's hard to tell which ones, from their descriptions, are genuine VPN endpoints and not just tunnel-supporters. For example, I'm looking at this one, and its online PDF manual has instructions for setting it up to connect *to* a vpn, but not how to set it up as a vpn *server*. Although there is an illustration in the manual that shows it as being a VPN server, I think, unless they were oversimplifying it and it was meant to be a picture of the thing acting as a passthrough. Sigh. Anyone have any tips on how to find the proper box?
|
Top
|
|
|
|
#243112 - 07/12/2004 20:51
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Actually, that looks like it will do a VPN tunnel between two of those units. That is, put one in your corporate office and another in your branch office and it'll set up a VPN between those two offices so that data going between them is encrypted. I'd guess that it won't do a computer-to-BEFVP41 connection, or, at best, would do only one.
It'd be a great solution if you just needed two offices connected together, but you need road warriors to connect, too. I'll take a look in a minute. I assume you want it to be as cheap as possible.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243113 - 07/12/2004 21:01
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
The Linksys RV016 looks right. Newegg has it for $382.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243114 - 07/12/2004 21:10
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Yeah, that sounds like the right box. Slightly overkill, such as having the redundant WAN ports. The RV042 seems to be the same thing but with fewer ports and much less expensive. I'll look along those lines, thanks!
|
Top
|
|
|
|
#243115 - 07/12/2004 21:13
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Hm. Thought I had my Newegg set up to order by price, that was on the top of the list, and it worked, so I thought it would be the best. Turns out my sorting was not correct.
I'll see if I can find a cheaper one.
Note that some of them want to sell you VPN client software/licenses separately. Take that into consideration when looking at prices. It's also possible that you wouldn't really need their software with XP, since it has IPSec built in, but you also might. Who knows?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243116 - 07/12/2004 21:17
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Ooo. I just found Tom's Networking which says the BEFVP41 I was looking at is a VPN endpoint. For that matter, the BEFSX41 is an endpoint, too, and it is incredibly cheap because it drops the VPN coprocessor. I'm going to spend some more time reading Tom's Networking.
|
Top
|
|
|
|
#243117 - 07/12/2004 21:21
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
How about the TrendNet TW100-BRV204? $46 at Newegg and supports up to 10 IPSec connections.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243118 - 07/12/2004 21:26
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: I just found Tom's Networking which says the BEFVP41 I was looking at is a VPN endpoint.
Yes, it is. But how many tunnels does it support? My guess: one.
Edit: Hmm. Tom's says 70. I'm surprised.
Edited by wfaulk (07/12/2004 21:28)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243119 - 08/12/2004 09:39
Re: VPN Help
[Re: tfabris]
|
member
Registered: 03/02/2002
Posts: 101
Loc: Sweden
|
If you have an old computer, you could replace the firewall-gateway with an simple firewall distribution based on linux or *bsd with web-based configuration. I've tried ipcop with great success, but it has some limitations (cant block internal access to internet without manual iptables-rules. m0n0wall on the other hand can do pptp, ipsec, openvpn, very good filtering rules etc. But is a little harder to get up in 2mins... Links: http://www.ipcop.org/http://m0n0.ch/wall/I have a ipcop firewall/vpn solution up for a customer and has been running for a couple of years without any problems. /Fredrik
|
Top
|
|
|
|
#243120 - 17/12/2004 04:57
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14491
Loc: Canada
|
Anything that runs Linux will do nicely. OpenVPN is a nice multi-platform free package with fairly good security to run on top of Linux.
-ml
|
Top
|
|
|
|
#243121 - 17/12/2004 20:59
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Argh. I've got the BEFVP41 but it seems to be a problem to set up.
I'm trying to follow this article, which I can't get to work but even if I could, it seems to require that I press the "Connect" button in the router's config screen, which of course is unworkable in a VPN setup where it's the server.
I'm trying to get an answer out of Linksys on the phone, but I'm talking to Bangalore or something, so it's hard enough just to get across what I want to do, let alone get them to find a solution.
|
Top
|
|
|
|
#243122 - 17/12/2004 23:17
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Okay, the BEFVP41 is going back in the box and back where it came from.
According to their tech support, they don't support it being an endpoint/server for PC clients. When that Knowledgebase article didn't work, they said they can offer no more support and that I should call Microsoft.
I will check out that other 10-tunnel unit listed earlier in this thread, but does anyone have any other suggestions?
Basically, I just want to have a handful of real estate agents with laptops, who, when connected to the internet, can click on the "My Network Places" and hit the "VPN to home office" icon, enter a user name and password and that will connect to <mythical box I want to buy> which sits on a DMZ on our LAN and lets them in to the rest of our LAN.
I appreciate the suggestions of Linux distros that will do what I want, but I need it to be a prebuilt box rather than a PC. I don't want to mess with installing linux on a computer, taking two weeks to learnin how to set it up, and then having no support number to call if it doesn't work. (Not that the Linksys support did me any good, but you know what I'm saying).
|
Top
|
|
|
|
#243123 - 18/12/2004 00:48
Re: VPN Help
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
How about something like this?
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#243124 - 18/12/2004 11:55
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14491
Loc: Canada
|
Quote: I don't want to mess with installing linux on a computer, taking two weeks to learnin how to set it up, and then having no support number to call if it doesn't work.
If you don't want to learn new tricks, then fine. But please drop that rubbish comment about no support number to call. Pleeeeaaaassseee!
You're brighter than that. Among the multitude of support numbers you can call are my own, RedHat, SuSe, thousands of other Linux consultancies, newsgroups, mailing lists, and .. god forbid .. the source code itself.
That's a totally bogus argument/myth. Your first point is somewhat more real.
Cheers
Edited by mlord (18/12/2004 11:56)
|
Top
|
|
|
|
#243125 - 18/12/2004 12:54
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 25/08/2000
Posts: 2413
Loc: NH USA
|
Have you looked at the units from Sonicwall? Not inexpensive, but easy to use & configure. I have a Soho Tele 3 that I use to support about 5 VPN users. The TZ170 series (.pdf datasheet) have a second port which can be used as a DMZ (I'm not quite clear if you're just looking for an end point or full Firewall/Endpoint combo, probably not reading your posts thoroughly). -Zeke
_________________________
WWFSMD?
|
Top
|
|
|
|
#243126 - 19/12/2004 15:32
Re: VPN Help
[Re: mlord]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: But please drop that rubbish comment about no support number to call. Pleeeeaaaassseee!
You're right. I apologize and take it back. Most user-support communities for Linux-related stuff are generally better than commercial tech support.
|
Top
|
|
|
|
#243127 - 19/12/2004 19:56
Re: VPN Help
[Re: Ezekiel]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I have SonicWall TZ170's and they'll do the trick. If you'd like to log into one and take a look at the admin software Tony, PM me and I'll send you a hostname, username and password so you can take a look.
The price isn't really that bad on them for what you get. I've been buying from this site for about $300 and have gotten good service.
_________________________
~ John
|
Top
|
|
|
|
#243128 - 19/12/2004 20:00
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
We use Sonicwall where I work as well. I've not actually had occasion to VPN into it, but other people do, and it works well.
In fact, a couple of the guys at the office have Draytek routers at home, for the other end of the tunnel.
_________________________
-- roger
|
Top
|
|
|
|
#243129 - 20/12/2004 13:16
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 776
Loc: Washington, DC metro
|
We've been using Watchguard linux appliances for a couple years for firewalls and VPN tunnels. The price/performance is solid. They have a range of devices that I think would fit your needs. We have a few Firebox IIIs, medium duty, rackmount firewalls, and twentyish of the SOHO 6tcs - lighter duty, smaller firewalls which max out at 50 trusted IP address and 10 concurrent user VPN tunnels. Currently, we use the SOHOs in our smaller offices (typically up to 30 users) to create a tunnel back to our corporate office. They have a good user interface and provide good (albeit subscription) support and overnight replacements as needed. The Firebox came with 1 year of the subscription support; SOHOs with 3 months. In my experience, the Fireboxes almost never need a reboot. The SOHOs need a reboot every once in a while, but usually reboot themselves when needed. -jk
|
Top
|
|
|
|
#243130 - 20/12/2004 13:44
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
IME, SonicWalls have terrible default settings, making them a nightmare for someone who doesn't know exactly what he's doing. OTOH, they can be a useful, if frustrating, learning experience.
(It's amazing how many times I wanted to use some variation of "terrible" in this post. Take that as a recommendation.)
Edited by wfaulk (20/12/2004 13:46)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243131 - 13/04/2005 04:40
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Well, I just picked up a TZ170 (Since I couldn't get the power-supply-fried one from Meatballman to work) and I'm messing with it. I like its user interface, and even if the default settings might not be ideal, at least there is a large array of powerful settings, and what they're all set to is very clear. So for someone who knows what they're doing, that's a good thing.
Now. About the "knows what they're doing" part... I've never actually done this before. *gasp*
I'm trying to do the idea you suggested earlier in the thread: Making this sonicwall be purely a dedicated VPN enpoint sitting in a DMZ on the LAN.
I have a couple rather silly basic questions about how to do that, exactly. I wonder if anyone knows the answers to these questions.
The first question is physical connections:
My internet gateway has only a WAN port and a few LAN ports. (No dedicated DMZ port.) Its connections currently go like this:
ADSL Line -> internet gateway WAN port -> Gateway box -> Gateway LAN port -> the hub for the internal company LAN.
So when I plug this new VPN rounter in, do I run one cable from its WAN port into the hub, and also run one cable from one of its LAN ports into the same hub?
The second question is addressing:
I can set up the VPN router with a WAN address and a gateway on its WAN side. Let's say that my existing internet gateway has a public-facing WAN IP address of 69.125.107.154, and that my DSL provider gives us a pool of 5 static IP addresses and I want to use the next address in the pool, 69.125.107.155, as the DMZ address, having all traffic directed to that address get sent to the VPN router.
So do I tell the VPN router that its WAN address is 69.125.107.155 with a gateway of 69.125.107.154?
Or, since the VPN appliance is actually internal to the network, should those be set to *internal* addresses in the 192.168.x.x range?
|
Top
|
|
|
|
#243132 - 13/04/2005 10:41
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
For more info on this, ICQ me when you get in this morning.
_________________________
~ John
|
Top
|
|
|
|
#243133 - 13/04/2005 12:51
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
FWIW, since you now have one, the one thing I remember in specific being a problem was long-term TCP sessions. There's a setting that's a timeout for how long such sessions can last. I don't know that I understand the concept of this setting in general (I suppose to clear out queues from TCP sessions that got dropped on the floor instead of exiting normally or being abnormally terminated), but it's there, and the default is like 15 minutes or something. This will, apparently, kill any TCP session that's been open for 15 minutes, no matter if it's being used. Or maybe there's an idle thing. I don't quite remember, but I do remember it turning off legitimate TCP traffic. Anyway, the setting is there as a global setting, but the global setting doesn't actually affect anything. You have to set it in the connection-specific area.
This took a supposed expert I was dealing with over a week to figure out.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243134 - 13/04/2005 14:11
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
And I only figured it out with help from Bitt.
_________________________
~ John
|
Top
|
|
|
|
#243135 - 13/04/2005 14:15
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Clearly, I'm dealing with the right people to ask for help, then. ICQ'ed you, as ordered, not seeing a reply this morning...
|
Top
|
|
|
|
#243136 - 13/04/2005 14:27
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I was in and out of my office a good bit this morning.
Weird...Trillian doesn't even show you as being online. It won't log on to AOL today either. Let me download a different ICQ client.
_________________________
~ John
|
Top
|
|
|
|
#243137 - 13/04/2005 14:29
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I'd forgotten that I'd helped you with that. I've had that experience with, IIRC, at least two other people.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243138 - 14/04/2005 00:36
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Okay, next question.
This is a rather silly one. I should know the answer to this one.
When we buy a business DSL connection from SBC, they give us five static IP addresses. One of these addresses is what I desire to use for the DMZ.
But I don't understand what's on the SBC setup sheet. This is the piece of paper that the DSL installer technician filled out when installing the DSL line. There are two groups of addresses, arranged in two separate sections. It looks like this:
----------------------------------------------------
Customer's IP's or LAN IP's (For routers):
Static IP addresses:
64.197.129.33
64.197.129.34
64.197.129.35
64.197.129.36
64.197.129.37
Gateway:
64.197.129.38
Subnet Mask:
255.255.255.248
WAN Side (For routers):
IP Address:
69.125.107.154
Subnet Mask:
255.255.255.254
Gateway:
69.125.107.153
----------------------------------------------------
(IP addresses above deliberately changed in the interest of privacy, but it works for this example.)
Now here's the thing. The configuration screen of our DSL router is has the *second* set of numbers plugged into it, the 69.125.107.154 stuff. And I can connect to its port-mapping features from my home by going to 69.125.107.154. It works.
But I have no idea how those five static IP addresses relate to that. Is one of those static IP addresses somehow magically "synonymous" with the currently-working "69." address? Or do I have to throw out the current, working configuration and re-configure the DSL router with the first set of numbers if I want to use those static IPs?
Normally, I'd go into the existing setup screen of one of my working DSL routers that handles multiple static IPs at my job and investigate how those are set up. Somehow that isn't an option any more.
|
Top
|
|
|
|
|
|