Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VPN Solutions for Small/Medium Businesses?

Cliff posted more than 8 years ago | from the a-network-in-a-network dept.

126

artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"

cancel ×

126 comments

Sorry! There are no comments related to the filter you selected.

One word: PIX (3, Informative)

overlord2 (136876) | more than 8 years ago | (#15202284)

Depending on what you mean by a 'small' company, I would look into using a Cisco PIX 506E. On CDW right now, they're ~$830. It sounds like it would meet all of your needs. I've used the PIX 506E for several smaller sites and it 'just works.'

Re:One word: PIX (4, Informative)

zerocool^ (112121) | more than 8 years ago | (#15202390)


Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company [cdw.com] , and buy yourself a nice 24" LCD with the leftover $700.

30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.

~Will

Re:One word: PIX (0)

Anonymous Coward | more than 8 years ago | (#15202451)

"Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company, and buy yourself a nice 24" LCD with the leftover $700."

Well, the hardware specs are different (e.g., the 4-port switch), the feature set is different, and the firmware size is dramatically different. Yeah, must be the same innards all right. Same exact thing.

Re:One word: PIX (2, Informative)

Jjeff1 (636051) | more than 8 years ago | (#15202624)

It's similar to a Pix 501, but certainly not a pix 506e. If I could pick up a pix 501 for under $200 though for my house, it seems like a good deal. A shiny green cisco logo not required for equipment in my attic.
But for any size business I don't think a pix 501 is a good choice for a VPN concentrator.

If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?

Re:One word: PIX (2, Informative)

sumdumass (711423) | more than 8 years ago | (#15203045)

If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?
There are some limitations with the windows built in pptp services. This isn't even starting to mention that it is less secure (but sufficient in most cases) then a full blown IPSec using certificates.

One linitation I think we ran into is a praticle limit of about 5 or 6 conections at the same time. On ours, It would either drop conections to allow more then that or just crap out the entire server (win2003 server on a dell power edge Dual P4s and 1.5 gig ram). Dell confirmed this and the consultants they had install it confirmed it. We ended up using goto my pc for several workstations that were telecomuting wich opened the PPTP enough for the others needing it. I'm not happy with using goto my pc but i don't make them calls.

Re:One word: PIX (0)

Anonymous Coward | more than 8 years ago | (#15203449)

Thats rediculous. I have managed a high volume pptp windows 2000 server, which I migrated to 2003, for several years. It might have been an isolated problem but in my experience they easily handled 50 active connections at a time with minimal CPU load. Of couse the network load was user based and internet bandwidth limited but I never got speed complaints from users.

Re:One word: PIX (1)

sumdumass (711423) | more than 8 years ago | (#15205777)

Well, it is on a full T1 line. That does have quite a bit of bandwidth but by all means isn't fast. When i said it crapped out, i ment the server falted with an error and stoped all PPTP conections. Maybe it is a license issue? Either way, we are using somethign else with it because thats what they said needed to be done.

PS, i'm not allowed to mess with this server other then reading logs (wich didn't show any related to the connection problem), It is under warenty and the BossMan says they are going to use that warenty up!

Re:One word: PIX (1)

sumdumass (711423) | more than 8 years ago | (#15205818)

Shit, I remeber the problem now, It was with the dynamic addresses availible.

Re:One word: PIX (1)

whoever57 (658626) | more than 8 years ago | (#15202711)

I have been struggling with QuickVPN and a RV042 recently. Basically, it works in some cases and not others.

I eventually solved the problems, but the solution involved bypassing the client side QuickVPN software. There are plenty of postings on the web about the problem and Linksys support are basically unresponsive. However, I am pretty sure I know the root cause of the problem.

On the plus side, I can't see any evidence that the tunnels that I have created using my home-brew solution are counted against the limit of 50 tunnels.

For a hint on the homebrew solution, look at the "wget*" and ipsec.conf files that QuickVPN creates in its install directory, then take a look at what the ipsec.exe utility does. Some of the postings on the web also provide the clues.

Re:One word: PIX (1, Informative)

Anonymous Coward | more than 8 years ago | (#15203699)

I have an RV042 and a PIX 501 at home.

The RV042 is a horrible product. It reboots constantly, getting the VPN to work is a nightmare, and Linksys support is absolutely horrible. Linksys can't seem to be able to put out a decent VPN product.

The PIX 501 just works. VPN was an easy to setup and there is lots of free support on the web and in the newsgroups.

Based on my experience with the 501, the 506 would be a much better solution.

Linksys != Cisco.

Re:One word: PIX (0)

Anonymous Coward | more than 8 years ago | (#15202564)

If you want to go even cheaper, there are things like the Juniper Netscreens, a 5GT can be had for around 400-500 depending on licensing, even something like a Sonicwall is cheaper. I prefer the netscreen I haven't had a problem connecting it to PIX and other VPN solutions.

Re:One word: PIX (2, Informative)

NeonSpirit (530024) | more than 8 years ago | (#15203264)

Be carefull with any Cisco PIX devices, whilst they work well and run the same code accross the product range (mostly) licensing and maintenance can be a pain. Funtionality is also dependant upon product, i.e. Failover is not available at the bottom end.

Maintenance is especcaly irritating when it comes to the Cisco VPN client, you cannot obtain a legitimate copy from the Cisco website, without a maintenence agreement. And there are fairly frequent updates.

Re:One word: PIX (2, Informative)

nologin (256407) | more than 8 years ago | (#15204132)

If you are going to try to go with Cisco for VPN, I'd recommend going with an ISR (Integrated Services Router) before going with a PIX. You can get a good 830 series (for a really small setup) or an 1811/1812 for the same price as the PIX 506E, but it offers a lot more features. Firewall, VPN, IPS, built-in switch, router, and wireless (on the 1811/1812). It can't all be bad.

Oh, and to answer the cross-platform question, there are VPN clients for Windows, Solaris, Linux and Mac OS X.

Try Hamachi. (2, Informative)

Futurepower(R) (558542) | more than 8 years ago | (#15202320)

I've been trying Hamachi [hamachi.cc] . It seems to work as advertised. It makes a connection between a computer behind a hardware and software firewall with a cable ISP and another computer behind a hardware and software firewall with a DSL ISP. Both hardware firewalls have NAT (Network Address Translation. I know not everyone who reads Slashdot works with this.)

However, the cable ISP is Comcast. Comcast, in this area, seems to throttle or stop anything besides HTTP traffic.

Other Issues: Hamachi setup time. Insecurity. (2, Informative)

Futurepower(R) (558542) | more than 8 years ago | (#15202497)

Other issues:

Hamachi setup: The setup time for Hamachi is exactly what they say: A few minutes. The interface is a bit quirky, and the documentaton is limited.

Anyone using Hamachi may want to run it as a service; see this explanation from Cyberonica [cyberonica.com] .

Insecurity: Hamachi uses a very sensible technique for getting around firewalls and NAT. So does Skype VOIP [skype.com] . Of course, that means firewalls and NAT are not really protecting us.

In no way am I saying that Hamachi itself is insecure. I don't think that. They say all traffic is encrypted, and normally none passes through their servers. I am only saying that these techniques show the insecurity of our present protections.

ZoneAlarm Security Suite: We use ZoneAlarm Security Suite [zonelabs.com] , a software firewall that notifies users every time something happens that might be an indication of a security breach.

If the users don't cooperate, and don't call us every time they see a notification, there is no security. ZoneAlarm's notifications are written in pure Geek, an unusual language which is used not to communicate but to pretend to communicate, while actually trying to avoid providing any useful information. Geek is a job security language, not a language for communication.

The real answer, of course, is to have a secure operating system, not one in which there is a lot of profit to be made selling the next version by criticizing the present version [eweek.com] . We need an OS that is designed to be secure [openbsd.org] , not one that is allowed to be sloppy so that it is insecure.

Router VPN -- Netgear: We have had an enormous amount of trouble with Netgear router VPNs. We've had a lot of trouble with Netgear technical support. The Netgear products don't seem finished. Once they are working, our experience is that they stay working, with some quirks.

(Interestingly, Netgear is the worst company for avoiding sending rebates. We almost always have to go to the management of the store from which we bought Netgear equipment and have them get our rebates for us.)

OpenVPN requires you to have access to the router. (2, Informative)

Futurepower(R) (558542) | more than 8 years ago | (#15206388)

Note that OpenVPN requires that you have access to the router to open a port.

Hamachi works when you don't have access to the router. In some cases in which the router in administered by someone who won't give you access, Hamachi can work where OpenVPN won't.

Openvpn (4, Informative)

Anonymous Coward | more than 8 years ago | (#15202343)

Why not use openvpn ? We run this on Linux, Openbsd and Windows.

OpenVPN behind a NAT? (1)

Futurepower(R) (558542) | more than 8 years ago | (#15202715)

We looked at OpenVPN [openvpn.net] . It looked like a lot of work to get it to function behind a NAT firewall. A google search restricted to the OpenVPN web site [google.com] brings up many, many questions, and not many answers [telindus.be] .

Anyone have experience?

More about OpenVPN behind a NAT firewall. (1)

Futurepower(R) (558542) | more than 8 years ago | (#15202759)

We tried a Google search that eliminates mailing list messages [google.com] , which mostly seem to be answered in a very limited way.

As you can see, there are very few documents that mention NAT firewalls.

In some ways OpenVPN appears to be a typical Open Source project. Documentation is often more work than writing the program, and most Open Source developers don't want to do the documentation, and don't want anyone else to do it, because of perceived loss of credit.

Re:More about OpenVPN behind a NAT firewall. (3, Insightful)

dwater (72834) | more than 8 years ago | (#15203423)

You might want to try contacting the author to see if he is available for consultation. My company hired him to build our prototype system - his rates are very reasonable, and obviously he is the authority since he wrote it.

Re:More about OpenVPN behind a NAT firewall. (1)

Ryan Amos (16972) | more than 8 years ago | (#15205780)

By the same token, the lack of documentation causes the project to be less useful. However, it seems that many open source developers start their projects with the goal of making money someday through implementation services, and writing a successful open source app that people want to use but not documenting it means that people will pay you to set it up and train their employees. If this is your goal, then it is probably in your best interest not to write good documentation.

Open source stopped being about sharing with the community when people figured they could make money with it. The developers aren't stopping anyone from writing documentation, there's just no incentive for them to do so themselves.

Re:OpenVPN behind a NAT? (3, Informative)

arivanov (12034) | more than 8 years ago | (#15202763)

Bollocks.

It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.

If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.

A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.

In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.

Re:OpenVPN behind a NAT? (1)

sgt scrub (869860) | more than 8 years ago | (#15204090)

I agree. OpenVPN is a very customizable, secure, and inexpensive solution. If you don't know how to set it up with firewalling you can check out The Endian Firewall Distro/Project http://www.efw.it/ [www.efw.it] It is based on IPCop http://ipcop.org/ [ipcop.org]

Re:OpenVPN behind a NAT? (2, Informative)

JamesTRexx (675890) | more than 8 years ago | (#15202808)

I have set up a new firewall at home last weekend using FreeBSD, PF, and OpenVPN. I haven't used PF and OpenVPN before and it took maybe one afternoon to set it all up so it's not that hard. (no, not a simple home version, but one involving crossing a firewall at work, and on my side separate networks for internal, dmz, and wireless) I'd say give it a shot and just build two test machines, especially because you can monitor realtime what PF is doing by using tcpdump on the pflog0 interface.

Re:OpenVPN behind a NAT? (2, Informative)

Wudbaer (48473) | more than 8 years ago | (#15203300)

I can confirm that it works fine with multiple clients behind a NAT firewall (which more often than not totally fucks up commercial IPSec-based VPN clients). I mean - it's basically SSL, so there is no reason why it shouldn't. Setup was a breeze, reliability in my book is very good. OpenVPN is much much better than the Watchguard MuVPN solution I replaced by it (basically a souped-up OpenSWAN with the SafeNet Soft Remote Client). Also clients are available for all mainstream platforms, which is also always a big problem with most commercial solutions.

Re:OpenVPN behind a NAT? (1)

cHALiTO (101461) | more than 8 years ago | (#15203888)

I've been using OpenVPN to connect to my server and nat thru it to a client's network :

[home] -(openvpn1)-> [my company network server] -(NAT on openvpn2)-> [client's network].

works perfect, and setup was extra easy on a gentoo server.

check out the howto [openvpn.net] , especially the quickstart guide to get an idea of how it works.
I'm using it alongside Shorewall (in each vpn conf I assign a particular tun device, which I can refer to in the shorewall conf.. this makes traffic rules configuration as trivial as something like "Web/ACCEPT local_net vpn1".

IPCOP (3, Informative)

mcamino (970752) | more than 8 years ago | (#15202345)

Hey. We run a medium sized ISP out of wilmington, delaware and we have hads GREAT luck using IPCOP and Linksys BEFSX41 endpoints. The linksys routers are easy to setup and configure and they can be bought cheaply on ebay or any staples or compusa. IPCOP is completely linux based , The setup is more idiot proof then a windows install, and it has a web based admin which rivals standard stand-alone routers. Ipcop can run on tons of hardware configurations. We personally run it with 5 Network cards and it handles the VAST MAJORITY OUR OUR ROUTING needs. did i mention ipcop is free? Give it a try.

Re:IPCOP (1)

mmurphy000 (556983) | more than 8 years ago | (#15203534)

Agreed. I use IPCop to link five regional offices. Net-to-net VPN with IPCop is great. "Road-warrior" IPCop with Windows clients is tough to get set up, which is why some people run OpenVPN in concert with IPCop, or use client-side hardware as the parent poster does.

For offices ranging from 5-35 employees, I use old 200-400MHz Dell desktops with ~128MB RAM and 4-8GB hard drives as the IPCop routers.

Re: IPCOP -- I Second That (4, Informative)

InitZero (14837) | more than 8 years ago | (#15204191)

I have used IPCop for many, many months. With
the OpenVPN addon, it makes a sweet RoadWarrior
setup. The OpenVPN GUI is even easy enough for
our executives to use.

For us and our 30-something employees, it cost
us nothing to put IPCop online. It ran for a
year on a P-III/700mHz/256M Dell. We recently
upgraded the RAM to 768M so we could make better
use of the Squid cache.

You can get an IPCop server online with VPN in
under an hour. As long as you have a computer
in the spare parts closet, IPCop is far less
expensive than any other solution.

Matt

Re:IPCOP (1)

EvilNight (11001) | more than 8 years ago | (#15204275)

I'll second this. A lot of people are recommending OpenVPN, however setting up a firewall with OpenVPN from scratch isn't exactly a trivial task, even for a netadmin. If you use IPCop you'll be getting the firewall ready to go, with the option for support, and OpenVPN is a drop-in-and-execute mod. I've been using IPCop/OpenVPN for over a year now and loving it. IPCop's web interface is as easy to use as any Linksys router, only far more powerful.

You can use the built in FreeSWAN VPN features to establish net-to-net VPNs between your offices, and use OpenVPN to allow your clients to access those offices remotely.

There are several other OpenVPN-capable firewall distros out there... m0n0wall comes to mind as being the most secure, and it'll even run on appliances without requiring a full PC or a hard disk. Thing is, a lot of them don't offer much in the way of logging capability - IPCop does. That's the main reason I ended up settling on it over the other firewall distros.

PPTP (1)

mnmn (145599) | more than 8 years ago | (#15202358)

Since its a small company, I assume you use a windows2000 or 2003 domain. Use an OpenBSD box that redirects PPTP connections to the windows server.

Sure there are superior systems but they dont necessarily 'fit' into the small business wintel setup. If youre running an all Linux network, you wouldnt be asking this question and you sure as hell wouldnt look around for commercial offerings.

If your users are OK with typing in an extra password, use OpenBSD's own SSH or ipsec based VPN, and L2TP on the client windows side.

Re:PPTP (1)

Nova1313 (630547) | more than 8 years ago | (#15202382)

you might try a nortel contivity vpn box. We have had good experiences with them where I work. You can run a client then to connect to it or if you opt for the SSL model then you can just hand out the webaddress and a java based client will run. It's fairly easy to setup. Support seems great (but I work directly with the companies nortel rep) We're just starting to roll them out company wide two 100 seat boxes. We've had beta users on the SSL VPN portal for months. The normal client version has been in production for a long time.. But this is only if you are looking for a hardware solution. The SSL card is a bit pricy as it's essentially another PC on a pci card that you put in the boxes.

Re:PPTP (1)

xaoslaad (590527) | more than 8 years ago | (#15203405)

I agree. I have used Contivity boxes and they are very nice indeed.

They are extremely easy to configure, and with RADIUS support, you can authenticate users off of a Windows Domain, Novell eDirectory, or a Unix system, whatever.

The SSL card should not be totally necessary, depending on how many users, and the smaller onces are quite affordable.

I came into a company that had an outsourced VPN solution that was generating some 20 calls a day to their help desk. The extremely sad fact of the matter was that we only had 80 some (very active) remote users. With painful corrective action required for almost every single call, not to mention the client allowed split tunneling, along with a myriad of other problems from a security standpoint, it was time for something new.

Mere hours of work down the road, and one of their medium size boxes as a main and a smaller one for backup, we were down to maybe 1 call a week, usually related to a VPN users internet service being down, rather than any fault of the client/server. I had the dis-luxury of getting it working with the Novell Clients/Servers in the organization as well, and with some changes to default Novell Client behaviour it worked quite nicely. We also used FreeRADIUS on Linux with the rm_ldap module to authenticate directly to the eDirectory environment.

Simple. Secure. Effortless. And the reduction of calls probably saved lots of money in terms of how much more the techs who were simultaneously filling in as the helpd desk were able to advance the environment, rather than just maintain it, so I am quite sure it was worth it.

Re:PPTP (1)

karlto (883425) | more than 8 years ago | (#15202404)

PPTP works well enough for me too. Certainly fits into the 'cheap' basket, although possibly not 'secure' if you are really into that sort of thing (technically it does have encryption though). Funnily enough, it works best without Windows - just install a cheap Linux box as a gateway at each point! (This would allow you to use any of the above VPNs anyway...)

Cisco VPN 3000 (5, Informative)

anderiv (176875) | more than 8 years ago | (#15202380)

At work (~90 employees...I guess that would qualify as medium-sized??) we use a Cisco VPN 3000 Concentrator. It's been rock-solid for us for two years now, and I'd highly recommend it. If you want to go the VPN-client route, cisco has official clients for Mac, Windows and Linux, but the box is also compatible with the PPTP vpn clients that come with most modern operating systems and it's also fully IPsec compatible. So...for example, if you wanted to, you could set up a linux gateway at home that would connect to your work VPN and establish a LANLAN VPN link.

If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.

Re:Cisco VPN 3000 (2, Interesting)

_RiZ_ (26333) | more than 8 years ago | (#15202439)

Finally someone with some good advice. I would forget about anything which is considered consumer products. We use a whole host of Cisco 3000 series VPN devices for all sizes of small and large branch offices. We use from the 3002 to the 3030. I have to say, they are ultra reliable, very secure, very well supported by Cisco and the associated community of Cisco users, and has clients for major OS's. Its a win win situation if you ask me. You do have to shell out a little more than the guy who was recommending you commit fraud by buying a lame Linksys device and a flat screen for yourself, but in the end you will get a rock solid, well supported, and very configurable device.

Re:Cisco VPN 3000 (0)

Anonymous Coward | more than 8 years ago | (#15202470)

The Cisco VPN client isn't very friendly though. It resets your DNS servers and default route, which is, at least for me, rarely desirable. The Linux client is i386-only (comes with "source" plus an i386 library), and the Mac client, while it works at the moment, has gone for long periods of time without supporting say, dual processor machines (read all high-end macs). Overall it's not a great client solution if you have any variety in your client workstations or their networks.

Generic IPSec is not terribly hard to setup, supports nat traversal, has good support in all modern OSes, and can be run either on a dedicated hardware appliance or a cheap old *NIX box. It *does* require client-side configuration, but it also provides a lot more options in how the client is configured.

Re:Cisco VPN 3000 (1)

_RiZ_ (26333) | more than 8 years ago | (#15202558)

I am not sure what you mean by it not being very friendly. You can easily package up your specific vpn profile into an installation executable or just hand out profiles to those who already have it installed. The most recent version of the client for windows is 4.8, 4.9 for Mac OSX, 4.8 for Linux, and 4.6 for Solaris. Our client does split tunneling so it does not change your default route nor does it change the dns settings which are set either manually, by dhcp, or by group policy. You should really check your information before handing out incorrect information.

Re:Cisco VPN 3000 (1)

dago (25724) | more than 8 years ago | (#15202893)

Er, no the client is also 64 bits - I am using it on my amd64 (gentoo) without any problems. Same for the solaris client, it's 32 & 64 bits.

Re:Cisco VPN 3000 (1)

dwater (72834) | more than 8 years ago | (#15203432)

I recommend against Cisco's VPN since they restrict access to local networks, which can be fatal - dhcp, and other 'login' (eg many airports/cafes) mechanisms require access to the local networks. My company moved from a Cisco based system to OpenVPN in order to avoid such issues.

Re:Cisco VPN 3000 (0)

Anonymous Coward | more than 8 years ago | (#15203569)

DHCP? login? Doesn't that happen well BEFORE you fire up your VPN client?

Maybe many companies feel you shouldn't have access to the local network when you are VPNd in to their infrastructure because of the goatse sized security hole it leaves open, especially at public access points, like airports/cafes.

Re:Cisco VPN 3000 (1)

Fhqwhgadss (905393) | more than 8 years ago | (#15203656)

I'm not quite sure what you mean by restringting access to local networks. You still need to at least have an IP address before you can set up a tunnel. Also, we have set up split tunnelling on our setup and it works fine. Only traffic destined to our internal network gets sent over the VPN. The problem that we have had with airports is when they are set up in a private IP space that coincides with our private IP space. Too bad it happens to be that way with our local airport.

Re:Cisco VPN 3000 (1)

dwater (72834) | more than 8 years ago | (#15204458)

ok, for example, at a place I used to live at, they would make you visit a web page and make you log in. That would open a window in which a javascript script would send a 'heart beat' every so often to keep the connection open.

No problem at all accessing the internet with just that.

However, when I use Cisco's VPN client, it'll connect/etc no problem, but when the javascript attempts to send a heart beat, it fails because Cisco's VPN client diverts all traffic over the VPN.

I've seen other places that use a similar method of logging on.

You can configure Cisco's client to allow access to various local networks, but if you move about a lot, it's a cat and mouse game.

If you connect to a service that uses a DHCP server, as many do, then your IP address needs to be renewed every so often. I don't know for sure, but I'll bet the Cisco VPN client doesn't do anything special to renew the address or to allow it to be renewed, meaning it could be assigned to someone else.

Of course, access to the local network is a pain when you want to print and stuff like that too.

Equally of course, the fact that you can't do this sort of thing gives security too, and allowing local network access brings a level of insecurity.

Re:Cisco VPN 3000 (1)

Fhqwhgadss (905393) | more than 8 years ago | (#15204636)

The VPN 3000 can be configured to leave default routing alone on the client side and only send specific traffic through the VPN. This way you don't need to guess the local network information, and don't load your company internet connection with traffic that does not need to be secured. It's not exactly trivial, but it is documented at http://www.cisco.com/warp/public/471/vpn35-split.h tml [cisco.com] . I wouldn't be completely surprised if the Cisco client still broke something, but we have a few hundred users and haven't seen this particular problem outside of the private IP space overlap issue.

Re:Cisco VPN 3000 (1)

anderiv (176875) | more than 8 years ago | (#15204911)

Ditto - this is called "split tunnelling". We actually found it quite easy to get set up.

Re:Cisco VPN 3000 (1)

anderiv (176875) | more than 8 years ago | (#15204891)

They only restrict access to local network if they're *configured* to do so. In our setup, we allow clients' simultaneous access to both their local networks and the remote network.

Re:Cisco VPN 3000 (2, Interesting)

Fhqwhgadss (905393) | more than 8 years ago | (#15203612)

I would have to respectfully disagree. I run a VPN3030 installation and it has provided numerous headaches when coupled with the Cisco VPN Client for both Windows and OSX. The clients frequently got disconnected from the concentrator until we disabled IKE keepalives and changed the rekeying interval to 8 hours. The WEBVPN feature absolutely sucks, having caused several crashes and rendering several web pages badly. The client for OSX on Intel fails miserably; we're pushing out Cisco's new client for that, but I'm skeptical.

Worst of all, Cisco's TAC is horrid for this product. One support engineer actually told us to disable the firewall on SP2 in order to allow the client to connect, rather than opening the specific ports that are necessary for the connection (hello, we're trying to secure our internal applications, not expose them to any shmuck who decides to 'own' an unprotected XP machine). Another referred to our Heimdal kerberos server as "third party" since he had never heard of a kerberos server outside of Active Directory.

The only case where we haven't had problems is for the few users that we have set up PIX boxes for at their homes. Not exactly an ideal setup for mobile users.

Cisco has assured us that the ASA does not suck as bad. We'll see when the evaluation unit gets in.

Re:Cisco VPN 3000 (1)

anderiv (176875) | more than 8 years ago | (#15204972)

I'm going to reply to myself here to try and dispell some of the misinformation that people are posting about the Cisco 3000 series VPN solutions. Several people have mentioned that the vpn restricts access to local networks, that it resets the DNS settings and changes the default gateway. Yes - it *can* do that, but it has to be specifically configured to do so. In our setup, we allow full access to both the local and remote networks simultaneously. After administering our VPN box for two years, I am still amazed by the sheer configurability of the thing. Yes, it'll take some hard work to get it set up right, especially if you're not familiar with routing and VPN technologies. In the end, though, you'll have a rock-solid, fast, reliable VPN solution.

DIY VPN (3, Informative)

strredwolf (532) | more than 8 years ago | (#15202381)

I've set up a PPTP VPN using a Ubuntu 5.10 server and PoPToP. All you need is to port forward the PPTP port to the set-up server.

Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:

http://mcarpenter.free.fr/Dev/pptp.php [mcarpenter.free.fr]

All works fairly well.

Re:DIY VPN (1)

edwdig (47888) | more than 8 years ago | (#15202529)

PPTP sucks if you're behind a NAT. You tend to get issues where you can connect fine once, but then you can't connect again properly for hours. I think what happens is the NAT can't always tell when the PPTP connection ends and keeps the ports tied up on the router, preventing another connection from succeeding. I haven't tried very hard to find out what the exact problem is though, as it's not very obvious.

Poptop (3, Informative)

PAPPP (546666) | more than 8 years ago | (#15202402)

If you want good integration with windows (read: PPTP), and want to keep it on a nice cheap *nix box, try Poptop [poptop.org] . Runs on most any *nix, entirely compatible with the builtin PPTP support in recent versions of windows. I've been running it for my own purposes (admittedly not on a "small business" scale, only one or two users) for years on a modest linux box and it hasnt given me any trouble connecting from WinXP or linux clients.

Re:Poptop (1)

Firehawke (50498) | more than 8 years ago | (#15202765)

Just one problem with this.. it seems like using it with the Microsoft client will pretty much restrict you to MS-CHAP v2, which is horrendously broken (as described on the poptop website: wildly insecure. It looks more easily broken than WEP, and WEP is pretty damn easy (apples and oranges, but still..)

OpenVPN looks to be about the only really good choice at the free level. If I'm wrong, I'd love to know about it, though.

Windows Server 2003? (1, Informative)

Anonymous Coward | more than 8 years ago | (#15202406)

I'm not sure if you are using Windows Server 2003 on site, but if you have a license to it then Microsoft already has a VPN solution. See this how-to:
http://blog.hishamrana.com/2006/04/07/how-to-windo ws-2003-vpn-server/ [hishamrana.com]

OpenVPN (4, Informative)

peacefinder (469349) | more than 8 years ago | (#15202452)

Go to openvpn.net. It's very straightforward to get a multiuser openvpn server up, using pre-shared keys or certificates. It's free, it's simple, it's multiplatform, and it's sufficiently secure for business purposes.

(However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)

If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.

Re:OpenVPN (2, Informative)

jamesh (87723) | more than 8 years ago | (#15203552)

I second that. Dead easy to set up, and does almost everything you could want.

The one and only 'gotcha' I found, is in situations where PTMU isn't working right and you are using compression on the tunnel packets. The MTU of the tunnel thinks it's 1500, but it should really be 1500 less the tunnel overhead. A ping shows that a 1500 byte packet gets though, but only because it's easily compressible data. When you start moving actual data around suddenly connections hang for no readily obvious reason. It could send a nerd mad!

OpenVPN rawks the Casbah (5, Insightful)

Xenophon Fenderson, (1469) | more than 8 years ago | (#15202506)

I really like OpenVPN [openvpn.net] . It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to [openvpn.net] . It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws [schneier.com] . IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel [sites.inka.de] and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea [sites.inka.de] .

I'm using OpenVPN to tie routers running OpenWRT (Linux) [openwrt.org] , routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.

Re:OpenVPN rawks the Casbah (2, Interesting)

bryanc (142005) | more than 8 years ago | (#15202614)

OpenVPN is great. We've tried the PPTP thing, but there is a tendancy for users to dink with settings that end up with unwanted traffic on our network (e.g. default route goes through the vpn).

OpenVPN puts all of this in a config file even on windows. Distribute the config and installation package and you're done. Need more security? Distribute the key files as well.

Re:OpenVPN rawks the Casbah (1)

tweek (18111) | more than 8 years ago | (#15203575)

Odd. In our case we WANT the default user route to be forced through the VPN. That way we control exactly what they do WHILE on the VPN. I loved that about the Cisco VPN Client. Captive VPN. But oddly enough, the Netscreen client doesn't really work the same way even though SafeNet makes both of them.

Re:OpenVPN rawks the Casbah (0)

Anonymous Coward | more than 8 years ago | (#15202615)

tunneling TCP over TCP (when running PPP over SSH) is a really bad idea

VPN over TCP is even worse idea. That's because the state of VPN tunnels is altered by a traffic that is unauthenticated - TCP ACKs, RSTs, etc. That is also the primary reason why SSL VPNs should not be ever used in any serious production deployment .. they are too fragile.

Re:OpenVPN rawks the Casbah (2, Informative)

BeagleBoi (87688) | more than 8 years ago | (#15203352)

You do realise that that Schneier article about flaws in Microsoft's PPTP is eight years old, right?

Microsoft released a patch/upgrade (DUN 1.3) for Windows 95, Windows 98 and Windows NT 3.51 which Schneier agreed [schneier.com] fixed most of the problems.

My Experience (3, Informative)

Anonymous Coward | more than 8 years ago | (#15202510)

Maybe I'm just an idiot, but OpenVPN was difficult to sort out in the beginning. There really needs to be a quick setup guide that'll get you running in under 10 minutes. If not that, then maybe a GUI solution that's better than what currently is in place, especially for Windows installations. If this was done, I can imagine that OpenVPN would gain much more wide acceptance.

I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.

Re:My Experience (0)

Anonymous Coward | more than 8 years ago | (#15202634)

OpenVPN is quite easy to setup.

There's a few easy examples on their site.

I had it up and running in about 15 minutes (using preshared keys), it did take longer to get it fully functional but for a simple VPN I'd say it was quite easy.

I guess it just depends on technical/networking experience. Takes me over 3 hours to change the oil in my car! :)

You might be an idiot... (1)

SanityInAnarchy (655584) | more than 8 years ago | (#15202952)

There are currently easy-to-find howtos that take 10-15 minutes to set up a simple VPN, and they are clearly marked on the OpenVPN website. The Windows client, while it doesn't have a GUI, it is a service, which makes it fairly simple to enable/disable with a GUI, or just leave on all the time. Config files can be copied from one client to another, only a couple of lines need be changed -- and it's possible to avoid even that.

Re:My Experience (1)

Alioth (221270) | more than 8 years ago | (#15203052)

I don't know when you tried it, but when I did (recently) there was a 'quick setup guide' and it took me less than 10 minutes to set up with a simple pre-shared key.

Re:My Experience (1)

sumdumass (711423) | more than 8 years ago | (#15203092)

I tried this about 2 years ago. 10 minutes was just about the compile time. I finaly got it working after about two weeks and thought about using another solution if it ever went down. I don't support that site anymore and have no clue what they are using now. Things must have realy changed in the last year or so.

Re:My Experience (1)

Alioth (221270) | more than 8 years ago | (#15203463)

I guess they must have; not only did I set it up within 10 minutes, I instructed someone how to set it up who had never set up a VPN before in around 10 minutes. The example that comes with OpenVPN is just about ready to go for a simple preshared key setup - just substitute your own information where necessary.

Re:My Experience (1)

sumdumass (711423) | more than 8 years ago | (#15205732)

I'm goign to have to revisit this then. Sometimes i forget that in open source the development cycle is multiple times faster then regular software. It is good to here it is alot better.

Re:My Experience (0)

Anonymous Coward | more than 8 years ago | (#15203784)

I would imagine that if you're trying to run an OpenVPN server on Windows that it probably is more difficult to set up than what you're used to. Personally, I've had a lot of success running OpenVPN on OpenBSD both at work and at home. If you want to go the OpenBSD route, here [innerewut.de] is a good tutorial on how to set up OpenVPN on OpenBSD.

Re:My Experience (4, Informative)

youngerpants (255314) | more than 8 years ago | (#15203789)

I have very recently (last week) set up an OpenVPN service for one of my clients on an Ubuntu box.



http://www.itsatechworld.com/2006/01/29/how-to-con figure-openvpn/ [itsatechworld.com]

That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.

MOD PARENT UP (1)

creepynut (933825) | more than 8 years ago | (#15204704)

That is a really, REALLY nice guide.

For those who say that OpenVPN's guide is straightforward either have years of networking experience behind them, or simply haven't tried to set up OpenVPN with it. (That is, at least on Windows)

OpenVPN (0)

Anonymous Coward | more than 8 years ago | (#15202532)

You could look at OpenVPN [openvpn.net]

Astaro (2, Interesting)

dracocat (554744) | more than 8 years ago | (#15202608)

I have definately become a fan of Astaro [astaro.com] . It is not free, but in my opinion very reasonable, and worth the cost in time savings. It works with the built-in windows client, and the thing pretty much installs and sets itself up. They have a free 30-day full featured demo, and the entire thing is free for "home use".

Did I mention I have become a huge fan? or was it already obvious?

not enough info (1)

dwater (72834) | more than 8 years ago | (#15202613)

you don't tell us enough about your proposed VPN topology...

still, OpenVPN can do it all, so I vote for that.

*shrug* (2, Informative)

Theatetus (521747) | more than 8 years ago | (#15202625)

Small company? Then either openswan or PPTP on a commodity server. No need to take sledgehammers to a cockroach.

Re:*shrug* (1)

Akardam (186995) | more than 8 years ago | (#15205137)

Yeah, but taking a sledgehammer to a cockroach makes such a nice satisfying *splat* ...

I usually don't cry dupe, but.... (1)

numbski (515011) | more than 8 years ago | (#15202680)

DUPE.

http://slashdot.org/comments.pl?sid=182998&cid=151 23283 [slashdot.org]

I know, I know, that one said "distributed". Sheesh. My answer remains the same. OpenVPN, like 90% of the answers here. :P

I'm not being cynical. I'm just tired. :D

ClarkConnect Linux for PPTP (0)

Anonymous Coward | more than 8 years ago | (#15202687)

I've been using the built-in PPTP server (Poptop) that comes with ClarkConnect Home and it works like a charm. Very easy to setup and configure via web interface. As long as you don't expect too many high bandwidth connections it should be a good solution.

http://www.clarkconnect.com/ [clarkconnect.com]

Important Note: The Linux kernel does not have support for MPPE encryption, which is what PPTP uses. Most distros will require a kernel patch and recompile to do this, ClarkConnect does all of this for you (I believe Mandrake does as well).

M$oft. (4, Funny)

ikejam (821818) | more than 8 years ago | (#15202688)

MS ISA Server.

HEY I'm just providing an alternative.

Re:M$oft. (1, Insightful)

Habahaba (824033) | more than 8 years ago | (#15202803)

I agree. MS ISA is easy way to go and small / medium sized company is likely to have Exchange and / or Windows 2003 server anyways.

Besides, the client is already included with WinXP...

I use a Netscreen25 and Netgear ProSafe FVL328 (2, Informative)

Yoweigh116 (185130) | more than 8 years ago | (#15202709)

I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 [netscreen.com] in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not absolutely certain about the cross-platform client, so you can look that up yourself. ;)

In addition to the individual user VPNs, the Netscreen maintains persistant tunnels to two remote sites. They're equipped with Netgear ProSafe FVL328 [netgear.com] routers. Less capable with low(er) throughput, but the branch end has to deal with a whole lot less traffic. The NS downtown maintains security with its lesser peers, too.

Hamachi (1)

marcushnk (90744) | more than 8 years ago | (#15202719)

Hamachi is pretty much what you're looking for.

Or if you like to stuff around, OpenVPN.

Bah Hamachi! (1)

laytoncy (756378) | more than 8 years ago | (#15205189)

How is Hamachi what you're looking for? I could be mistaken but I gave Hamachi a whirl cause it was quick to get up and running and basically it just lets you browse the machine you install hamachi on in the remote network. I'm not sure about this user but for me VPN needs to let me logon to the domain remotely. For example, my client has his company laptop at home and he logs onto the company domain via vpn so as far as he's concerned he's connected to the lan. Can you do this with OpenVPN?

Linksys has some good products... (1)

foQ (551575) | more than 8 years ago | (#15202747)

I was just looking for something to do this same thing. I haven't solved the problem yet, but Netgear and Linksys have some inexpensive stuff. I ordered the Linksys RV042 and it should arrive today. I'm anxiously awaiting setting it up and testing it because of the Dual WAN functionality. My second internet connection should arrive on Thursday :)

http://www.netgear.com/products/business/prod_vpnr outer_wired_security_sb.php [netgear.com]
http://www.linksys.com/servlet/Satellite?c=L_Produ ct_C1&childpagename=US%2FLayout&cid=1117775454480& pagename=Linksys%2FCommon%2FVisitorWrapper [linksys.com]

Re:Linksys has some good products... (1)

Slashcrap (869349) | more than 8 years ago | (#15203213)

I was just looking for something to do this same thing. I haven't solved the problem yet, but Netgear and Linksys have some inexpensive stuff.

Dude, there is a reason why they're inexpensive. If you stick to exactly the same model with the same firmware version at each site, you might be OK as long as you don't do anything too strenuous with it. Or expect it to work the majority of the time.

If this is something you're doing at home then fine. If you're proposing to implement a corporate VPN with consumer routers, I suggest you start browsing the following website http://www.monster.com/ [monster.com]

Unfortunately I do this for a living, so my opinion is likely to get drowned out by all the people suggesting OpenVPN and PPTP. Actually, just listen to them - anyone recommending PPTP for a secure multi-site VPN must really know what they're talking about.

Barby says, "IPSEC is hard!"

m0n0wall (1, Informative)

Anonymous Coward | more than 8 years ago | (#15202861)

I setup an IBM x300 server and m0n0wall [m0n0.ch] as my router and it has worked fantastically. It supports IPSec tunnels, as well as PPTP connections. I have two IPSec tunnels to remote sites which both have PIX routers (501 and 506E), as well as connections from remote PPTP clients which is easy to setup and I have never had any problems. Highly recommended for anyone looking for both a simple and powerful solution.

Smoothwall (0)

Anonymous Coward | more than 8 years ago | (#15203445)

http://www.smoothwall.org./ [www.smoothwall.org] Free. Pay for corporate support if you want to feel better. Use tons of free clients (ssh sentinel, openvpn).

Use a local ISP who offers that service (0)

Anonymous Coward | more than 8 years ago | (#15203457)

Depending on what country you are in, there are bound to be various ready-made solutions with which you do not need to worry about the actual implementation. For example, in Germany there is globalways [globalways.net] , a small but fine ISP specialized in providing small to medium companies with out-of-the-box Internet & VPNs. As it is based on OpenVPN, all the positive stuff from the other posts applies. No idea about companies in other countries, but you are sure to find one if you look around a little bit.

For cheap try SSL Explorer (1)

LinuxWeenie (614599) | more than 8 years ago | (#15203858)

You might want to consider the Java based SSL Explorer [3sp.com] as a possibility. No client side code is required, just a browser and one hole punched through the firewall to the server.

LW

Is it just me... (1)

ocbwilg (259828) | more than 8 years ago | (#15203903)

Or is this just a stupid question? Every firewall product I have seen in the past 5 years (I have used NetScreen, Watchguard, Fortinet, Cisco PIX and Cisco ASA units) has IPSec VPN capability built in. IPSec is a standard and is supported in a wide variety of clients available on just about every operating system. Being a standard it is also compatible with other firewall/VPN vendors' implementations of IPSec. Assuming that your small/medium business has a firewall, just use what it has built in. License copies of their client software for your PCs, or use a free/OSS alternative. It's not rocket science.

My small business (300 users) has a Fortigate 400 used for our Internet connection (a pair of T1 circuits). We run Fortinet's VPN client for about a dozen remote workers. The same device also manages persistent VPNs with about a half-dozen business partner companies. Performance isn't an issue. Before we had the Fortigate we were using NetScreens (now Juniper Networks I believe), and we were still using the NetScreen IPSec clients for remote workers 2 years after we switched to the Fortigate firewall. IPSec is pretty much IPSec, and they all talk to each other.

The only thing that I would add to what has been said here is that if I were to buy a Cisco device I would go with an ASA instead of a PIX. You usually get more features for the same or less money with an ASA.

IPCop works (1)

Eil (82413) | more than 8 years ago | (#15203959)

I was asked by my boss to evaluate VPN between the red interfaces of two IPCop [ipcop.org] machines. Talk about simple. I don't know exactly how well it scales, but it can't be horrible. Today, one of my tasks is find out if and how well it works with m0n0wall and in roadwarrior configuration.

Not enough information (1)

C_Kode (102755) | more than 8 years ago | (#15204008)

There isn't enough information provided, but it sounds like a pretty small operation and simplistic setup sounds like what you need.

A main office with several small satellite offices (or small retail stores) I would suggest SonicWall product. (or NetScreen) Small remote offices can use the small single point VPN TZ series devices that allows a single site-to-site VPN and the main office can use a larger product like the 2040 or the 5060 with support I beleive 50 and 2000 VPN sessions respectively. (with several models in between) There are many products out there that will work. SonicWall's products are very easy to use and arn't that expensive.

If you are just looking for personal VPNs to the office network, Sonicwall also offers VPN software that you can install on laptops/Desktops. There VPN is IPSec so it will support any IPSec client (Linux, etc) without the need to purchase software. There software is very easy to use. Thats why I brought it up.

Re:Not enough information (0)

Anonymous Coward | more than 8 years ago | (#15205768)

Sonicwall also has clientless SSL VPN devices that allow for AD integration for authentication. http://www.sonicwall.com/products/sslapp.html [sonicwall.com]

IPCop + OpenVPN (1)

rtos (179649) | more than 8 years ago | (#15204134)

Secure VPN goodness in ten easy steps: IPCOP-OpenVPN HOWTO [thinkhole.org] .

Free, it works great under both Windows and Linux, and you don't need to be a computer whiz to setup your laptop to connect to it. Good stuff.

Home office users, NATs, and multiple users (2, Insightful)

WuphonsReach (684551) | more than 8 years ago | (#15204161)

One of the big issues with VPN technologies is the NAT routers that protect home offices. The corporate office side is easy, just punch the appropriate holes in the firewall and the remote clients can easily connect to the network.

Where things fall apart is that you have multiple laptop users who are behind their own NAT routers at their homes. You need to use VPN software on the laptops (not on the NAT routers) because you only want their work machines connecting in. That's easy enough, until you run into a situation where you have 2 or 3 users who get together and collaborate frequently behind a single NAT router.

It seems like PPTP (maybe SSL?) was better suited for situations where you might have multiple users VPN'ing in from the same source IP address (hidden behind a NAT router, such as an ad-hoc meeting in someone's house or multiple users meeting in a coffee shop). All of my readings on IPSec indicated that IPSec can't handle that particular usage style.

snapgears! (3, Interesting)

alta (1263) | more than 8 years ago | (#15204166)

Cyberguard bought snapgear, but they still sell the same products. These are great little boxes that we used to set up a 7 office network across the state of alabama across whatever networks were cheapest (cable, dsl, T1)

We had 530s in each of the hub offices and a 575 in the main office. (Still have the 575, have since closed all the branches) I still have the 530s and I refuse to sell them because they are such nice little boxes. I'm going to take one home and make it vpn back to here.

Site to Site + Remote Access (1)

chargrilled (468628) | more than 8 years ago | (#15204255)

We have 2 vpn methods. Our main vpn is a hub and spoke topology where our branch offices all connect into our corporate hq. What we use in this case are cheap off the shelf Netgear routers + either dsl, cable, or T-1 connections to our corporate hq which has 3 T-1 lines bonded. The branch routers are FVS318v3 (the v3 is very important much improved processor + ssl for remote mgmt). Our hq uses a FVX538 which has fail-over and load balancing capabilities. I know some do not like Netgear but we have been using this solution for 5+ years and have had very little down time. Plus the routers are cheap so you can keep a hot spare on hand. Now our other solution for out of office work is SSL Explorer which is an open source ssl vpn. It works pretty good and if you want AD authentication you can purchase the "xtra" add on. Hope this helps!

I have been struggling with this for a month!! (1)

kvsnut (68323) | more than 8 years ago | (#15204263)

I have a very small business with three locations (one is my home). The ISP connection varies some are Comcast some are Verizon residential DSL.

As I see it I have three problems. 1. The IP address will be dynamic from the ISP's and 2. Most of the PC's are running Win XP home 3. Would prefer a no cost solution

I would like to be able to remote desktop (ie contral/access) any pc from any location.

I have successfully installed http://hamachi.cc/ [hamachi.cc] Hamachi to address the dynamic IP issue but am working on the XP Home issue (ie. RD server only in XP Pro). I recently downloaded http://ultravnc.sourceforge.net/ [sourceforge.net] UltraVNC but I'm lost after the installation. What do you application do you use to start the desktop sharing.

Most of the PC's are behind a Linksys router some are behind a Linksys router then linksys wireless router.

I've played with dyndns.org and no

I'm not a CCNE but I'm no schlub any help would be appreciated.

racoon ISAKMP daemon (3, Informative)

Jizzbug (101250) | more than 8 years ago | (#15204820)

racoon is a very good Internet Security Association Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) daemon. It is used to auto-negotiate keys for IPsec sessions.

At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).

We also have a third concentrator which is configured to use Xauth and /etc/passwd for authentication. This concentrator allows the Cisco VPN Client software to connect into the network for Road Warrior style access (also does much better with NAT traversal than tunnel-mode IPsec).

It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).

Sonicwall (0)

Anonymous Coward | more than 8 years ago | (#15206334)

Just get a Sonicwall SSL vpn for like $700 and you're done. Takes all of 30 minutes to unpackage, mount and configure and that's it. You have super granular control as to who can access what, whether it be a published web app or direct access to your shared files, folders and printers. Truly a wonderful solution at a CHEAP cost.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?