VPN over ADSL

[8bit]

Hi folks,

I have a homer on at the moment which requires me to set up a VPN between 3 sites. One of these is a central site and the other 2 should be able to connect to that central site on demand.

I've done a good bit of networking stuff but never any VPN stuff before so...

I've been recommended the Draytek 2600i router since that acts as a VPN "endpoint" (pls correct my terminology where required!). The dude that's selling these things tells me i need one at each site, but I have a VPN software client app I use for my work that lets me get a VPN to the sonicwall firewalls in the office, could I use a free VPN client app to connect the other 2 sites and avoid having my client shell out for 3 routers instead of just 1?

Also, I've never used Draytek kit before, have used Linksys, D-Link (personal favourite) and NetGear. Is the Draytek stuff any good? Anyone recommend a better alternative?

Cheers
8bit

[nichomach]

I'd be using three routers, myself. I have similar setups with multiple little routers doing gateway-to-gateway IPSec VPNs to enable connection to our head office from building sites. VPN endpoint is fine as far as terminology goes. Basically, the three-router solution is a good one if you have three fixed locations to connect; saves a shedload of admin hassle, and routers are cheap. You could try using the XP VPN client of you want, but unless your client wants VPN access on the move as well, I wouldn't. If he wants that as well, you should be able to use L2TP/IPSec with the Drayteks. I've not heard anything bad about Draytek. It'd help if your central site had a static IP address, but the other two shouldn't have to unless you want to initiate connections on demand from either end, or you want to provide remote access to those sites. Having a gander at Draytek's site, the 2600i looks to have a good feature set (as does its wireless cousing the 2600Gi). I notice they have RADIUS support as well, which could be handy if your client has a Win2000 (or later) server kicking around his network.

[8bit]

thx nichomach,

All three have broadband already and have routers etc. which support VPN pass-thru. You mentioned that using the three VPN routers (as opposed to one at the central site and the other two using a software client) would be less admin hassle, how so?

Basically the link is purely to allow remote access to their case management software which will run on the machine at the main site, that's where I planned on installing the Draytek or similar. Also, there is no requirement for either of the other sites to communicate with each other, only the central site.

Obviously I'd be getting a static address for that site. Given the VPN is only required for this one application and the fact that I've had to visit each of the three persons concerned to sort out virus and spyware problems, surely having a software client that they had to deliberately connect and disconnect when required, surely the more secure option is to use software clients?

[nichomach]

OK, fair enough; if its only 3 people, then a client-based VPN solution could work. I didn't realise that there were routers already onsite. I find gateway-to-gateway to be less hassle usually for fixed sites if only because I don't then have to go around configuring each machine individually, and if a user changes machines I don't have top go through the process again. There's no security advantage to using a software VPN client except in the sense that they'd need to input a username and password. Once they'd done that, however, their machines would be on the central site's network, so if malware is on their machines it'll spread anyway. Do the existing routers not support functioning as endpoints for VPNs?

[8bit]

Hi again,

Yes there will be one person at each site only. The existing routers do not function as endpoints, only have VPN pass-thru option (like mine, a D-Link DSL-504) which can be enabled or disabled in the admin GUI.

It's highly unlikely any of the users will be changing machines even semi-regularly, although one of the users may have to purchase a Wintel machine as he presently uses a Mac - I'm investigating whether or not he could use the Mac Remote Desktop client for accessing the application, but that's another story.

And yes I realise the malware thing will still have the potential to spread using a software to hardware setup but if the software client must be started and stopped on demand then the VPN isn't up permenantly so hopefully they'll spot the problem while they're not connected and will follow my instructions to not use the VPN client and call me first!

As for the Drayteks, is this what you've used in the past and/or can you recommend an alternative unit?

[nichomach]

Well, I've actually mostly used 3Com units for the stuff we do here - specifically the Officeconnect VPN firewall, and that requires an external modem. As I say, the Drayteks look pretty good, and I haven't heard anything bad about them.

[madman045]

We use Drayteks for all our customer broadband installs, one client has three sites linked via vpn using the 2600I Plus.

Easy to set up, all sites have a static ip & can see all the other pc's on the network.

Even looking at setting up a domain across the VPN, but this is only a possibility.

[Moby-Dick]

another vote for the drayteks - the 2600plus is about £100 - its 100 well spent imo.

http://www.broadbandbuyer.co.uk/Shop...&ProductID=963

If its a big hard core WAN then I'd use somethign like a watchguard , but for small stuff the drayteks are just fine.

[8bit]

We use Drayteks for all our customer broadband installs, one client has three sites linked via vpn using the 2600I Plus.

Easy to set up, all sites have a static ip & can see all the other pc's on the network.

Even looking at setting up a domain across the VPN, but this is only a possibility.

Madman, at work we have sites in Aberdeen (head office where I work), Slough, Perth (Australia) and Kuala Lumpur in Malaysia. The domain is W2K Active Dir, the top level domain is in Aberdeen with a sub-domain in each of the three other sites. OK we're not using Drayteks on DSL connections, the VPN stuff is handled by the Sonicwall VPN/DMZ firewalls through Cisco routers in each site using fibre connections all with the same global teir 1 ISP to keep the speeds up as much as possible. (4Mb/s in Aberdeen, 2 in Slough and 1 in each of the others). But basically that's pretty much what we do.

Thanks all I'll get hold of at least one Draytek to kick off with and see how we get on with a software VPN client as my client needs to keep his costs down as much as possible initially (new business).

Cheers again
8bit

[Moby-Dick]

A safenet client licence ( the sonic wall IPSec end point software )is suprisingly expensive

[8bit]

k guys thx so far...

got the central site all set up and am about to go round and configure the other sites to connect in. I was going to use the stanard Windows stuff to connect to the VPN from the windows side, was wondering if anyone knows a free or cheap VPN client for OS X? This is a slight cross post as i have asked the same question in the applejuice forum but thought if any of you guys know of one but dont check the applejuice forums...


cheers
8