Need VPN Suggestions

[WannaFly]

I am looking to allow about 7 users have a VPN connection to our office.

They need to be able to browse the network and get files off of their computers just like a LAN. I believe VPN is the right solution for this.

I have read and gone through setting up a VPN server win windows 2000 server. My question is is that the recommended way, or is using hardware like the linksys BEFVP41 a better choice? Also, on 2000 server is it really as easy as it seemed? Any suggestions would be great. Thanks!

 

[richgill]

I use hardware VPN devices for inter-office traffic that use IPSEC for the tunnel. About a year ago we tried to set up VPNs for roaming uses using the VPN hardware device but found that IPSEC doesn't like NATing. This meant that the VPN link didn't work for all occasions. In the end we gave up and installed RRAS on a W2K server. This uses pptp and seems to work perfectly. (Yes, it is really easy to set this up on a W2K box). That was a year ago, so things may have changed since then.

 

[WannaFly]

Isn't PPTP not as secure as IPSEC? if that is the case, wouldnt hardware be better, or trying to get IPSEC around NAT?

 

[richgill]

PPTP is OK, it's just MS's implementation of it that is bad!! I would have prefered a hardware IPSEC solution too but just couldn't get it to work for all situations. MS have made improvements to their RRAS server security - just make sure you implement them. To increase security:

1) Stick VPN behind firewall
2) Apply all the latest service packs, hot-fixes, patches...etc etc to the RRAS server and keep it updated.
3) Run a virus checker
4) Use only the MS-CHAP v2 authentication
5) Use only the 'Strongest' encryption, ie 128-bit.

errr...have i missed anything out? Usual stuff applies, ie if you are using NT username/password for authentication make sure users have minimum password length, have to change passwords regularly..etc etc.

 

[WannaFly]

richgill, thanks for the pointers, i am going to try doing some testing this weekend. I believe a few of my home users will be behind a NAT firewall, so i guess i might have to open 1723 for them. Anyway, i guess i am going to go with the windows 2000 server RRAS method. Thanks!

 

[richgill]

Let us know how you got on!

 

[WannaFly]

Well after doing alot more reading and some testing, i am starting to wonder if i should go with the hardware solution instead of w2k server. I have been looking at the BEFVP41, it seems like it should be pretty easy to set up, and cost ALOT less (dont need w2k server licensing). I have looked for reviews on this product, and have not found much info. I do have a fwe questions regarding the BEFVP41:

1. I need it to provide about 10 VPN tunnels, does it have any problem handling that?
2. Will it need to be in the DMZ of the firewall/router?
3. I am pretty sure its secure, as long as i can get IPSEC working in windows XP and 2000, correct?
4. It will not be setup like BEFVP41 to BEFVP41, it will be client (windows) to BEFVP41, i believe it can be setup like that?
5. To browse the WAN network, i will need to setup WINS on the WAN side, or use LMhosts, correct?

If anyone can help me with these questions, that would be great, or if you have any other advice. Thanks!

 

[richgill]

If you go the BEFVP41 route you'll be back with IPSEC. I'm not that familiar with the BEFVP41 but I'm sure you'll need some IPSEC client software for each remote user (more money!!). I am quite sure the Linksys router is capable of all the things you want, but I think you will run into troubles. (just my opinion - maybe someone out there has set this up with no problems)

Do you already have a W2K server up and running? If so I would just enable RAS and try it out.

 

[WannaFly]

rich, i appreciate all the advice and help you've given me so far.

On Linksys's website, it states one of the features of the BEFVP41 as "No IPSec VPN Client Software Needed". But as i look through windows 2000, i do not see where to setup IPSEC? I do not have a server up and running, thats why i was thinking of going with the BEFVP41. I last night thought of another bad aspect of using it though, i think i have read that most routers cannot handle IPSEC, and i would have to put the clients in the DMZ also. Do you know if i am correct there?

 

[richgill]

Windows 2000 can set up a VPN to the BEFVP41 but for a fixed IP address. btw check out the BEFVP41 manual for a description of how to set up VPN with Windows 2000. Most home or remote users have a different IP address when they connect. Unless all your users are techies this would be a pain. For client software check out

http://www.ssh.com.

(It also
explains the problems of VPNs and NAT).

Routers can handle IPSEC (if they couldn't very few VPNs would exist!) The biggest problem with IPSEC is NATing, which will affect some remote users. There are products out there that get round this, such as

http://www.ssh.com/products/nattraversal/

 

[AlexIT]

Wait, there is some misconception about security going on here.

IPSEC is designed as secure tunnel from LAN to LAN. This is why you see a lot of hardware solutions for IPSEC that would make no sense if you were only allowing client access. This is NOT more secure, just designed for differnt levels of traffic. (And does not like NAT to play with that traffic.)

PTPP is designed as secure client server connections. I agree that M$ implemented this funny. This should be referred to as ELAN because this is Extended Local Area Networking, you will not be able to browse the remote network (EVER) using PTPP VPN. That traffic is not permitted under the M$ standards so you must add server entrys manually to the clients LMHOSTS file.

I like hardware solutions to prevent spending a fortune on Win2k licenses. Get a simple PTPP router (not a pass-through router, a real device that actually hosts PTPP connections like a Netopia or such.) This sits after the firewall and accepts your clients VPN connections. While clients cannot "browse" they have access to any machine with an entry in their own LMHOSTS file. The Win client name is authenticated by the Win2K DC after the VPN connection is established (just as they would be if they plugged into the network noramlly.) You can have up to the hardware limit number of clients (Netopia = ~5, ~10, ~25 as more needed just adds cost.)

Don't mis-use IPSEC to try to provide "browsing" to individual clients, this gets really bad to administer.

Alex

 

[WannaFly]

Whoa! I really need to start reading up on VPN.

So, because i need to be bale to "browse" the network, i need to use PPTP, an LMHosts to determine the names/IP's of the remote computers?

I have read a bit on the Netopia R9100 router, and it seems pretty nice and has all the VPN capabilities i would need i believe.

If i used the Netopia, after making the VPN connection (which is NATable because PPTP), the username and password is given to the DC to authenticate? Is that how the authentication works?
If the above is not right, i am having problems understanding how authenticating work, how to know that whatever is connecting to the VPN tunnel is authorized...

once again, thanks for the insightful knowledge....

 

[WannaFly]

Ok, i need to actualyl start working on this and setting it up now. Here is my config:

<Remote Clients(Windows 2000, XP, and 1 98>
<Cable Modem Access>
| (VPN Cloud)
|
<cable>
/
<Cisco uBR900>---<Linksys Router>---<3Com Switch>--<LAN>

I have windows 2000 &quot;Small Business&quot; server running, with AD. I need my 7 remote clients to be able to access their files on the LAN. Browsing would be preferred. If if can look like they are actually part of the network, that would be great. I think i'll have to use LMhosts because i dont have WINS.

So what would be the best way? i read on the uBR900, it supports VPN, but not as a server (i dont think). So would one of the netopia routers be my best bet, and just uplink it tothe Cisco?
Any thoughts or suggestiosn would be great. Thanks!

 

[laren]

There are devices that allow windows browsing from the clients. Depending on how may remote users you have, this might be cost effective. Sonicwall has a VPN client for windows that uses LMHosts. Here's a URL to the datasheet on their windows client -

http://www.sonicwall.com/products/documentation/datasheets/VPN_client-datasheet.pdf

 

[WannaFly]

laren, i appreciate your suggestion, as it would solve my problem. I was trying to avoid having to use(cuy) client software. I am right now looking into my different options for what hardware i need to use. Whether i should use RRAS, or a router with built in VPN (Netopia). Somt of my clients will be NATed, so i believe that restricts me to PPTP.

 

[AlexIT]

I would suggest the Netopia as an inexpensive solution. I suggest them all the time. Here's the setup:

1.Get rid of Linksys product! The netopia has NAT and 8-port hub built in, and if you need more ports use a cross-over cable to connect to more hubs.
Cablemodem-Netopia-SBServer
|
ExtraHub
| |
PC1 PC2
2.Each VPN machine has a name that follows network schema. (i.e. Name=Joes_PC workgroup=Mycorp)
3.Each VPN machine has lmhosts setting to resolve the SBS/AD box.
10.0.0.1 SBSNAME #PRE #DOM:Mydomain
10.0.0.1 &quot;mydomain \0x1b&quot; #PRE
(WATCH OUT for the spaces between end of name and /0x1b as this length is critical!)
4.The remote user MUST sign into their machine with a valid domain login and password (use Win2k Pro for these machines and set each to &quot;Sign in using dial-up connection&quot; then select the VPN connection (which has a DIFFERENT login and password set from the Netopia!!)

In this fashion you only need one hardware and no special client software. Your VPN resources are password protected from your internal users (the VPN password is NOT the same as a domain login.) And your external users have machines that automatically connect to the corp network when they log in (they don't notice that they are on VPN.)

Alex

 

[WannaFly]

Alex, i like that solution. Would that allow each remote client to &quot;browse&quot; the network, or just eb able to access by typing names in?
Is there a way to do that kind of setup without having to login to the VPN EVERY time? So they can just click an icon and connect?
Also, what is &quot;10.0.0.1 &quot;mydomain \0x1b&quot; #PRE&quot;, what does that do?

I like the netopia route, but it says it only handles 15 users for the lower version (R910). Also, there isnt a &quot;cable modem&quot;, its a Cisco uBR900, but it should still work, correct?

Thanks!

 

[WannaFly]

the other thing about the netopia, is that its only 10baset. I dont think that will be a problem if i just uplink it to my 10/100 hubs..correct? since the cable is less then 10Mbs...?

 

[Dougpci]

Hello. I am trying the same thing as discussed here and also having trouble. I want remote clients to dial from home to the internet then tunnel in through a VPN into a Linksys BEFVP41 router then onto my Win2000 network (I am running Active Directory and would like to use it to manage user access once they are in the domain just like when they are in the office). If my client (running Win2kpro) is set up and my router is set to accept VPN (including forwarding ports 47, 1723 and 500) do I need to set up my Win2k server to manage clients coming in? MS Knowledgebase articles Q308208 and Q305550 seem to indicate that I do. I don't have indepth knowledge about VPNs and am a neophyte network administrator. Help, especially from Linksys, would be great.

Thanks,
Doug

 

[AlexIT]

Wannafly,

Sorry, I've been out for a while. The LMHOSTS file will allow name access to the computers that you preload only. The uses cannot &quot;browse&quot; but they can do Network Neighborhood and see those entrys you've put onto their machines (i.e. domain server, mail server, etc.) That \0x1b line is to tell the client computer about the domain name and is required.
I thought you only had 7 VPN clients, so the 15 client limit on the Netopia should work fine. If you outgrow the 15 users you can always add a second Netopia with a different IP address. The netopia products are available for use with any internet connection (56k, ISDN, DSL, T1+) so you just buy the unit with the correct interface and this can replace the Cisco product. (Talk to you Cisco rep about their VPN modules that you could add to your existing product if you must keep that device.)
If you want to allow the VPN clients to access their computers while NOT on the network, they must still sign in with a valid domain login and password, but don't have the &quot;Sign in using...&quot; checked, you put a VPN connection shortcut on the desktop. They sign into the machine, click the VPN shortcut and either you setup the icon to remember login in and passwords or they type out the Netopia VPN login and password to connect to your network.

Alex