Please advise of VPN options for the following situation 1

[Typoman]

I want users to be able to VPN into the office over the Internet so they can access the office's LAN. The office has a static IP on our DSL, but the users will be accessing from DSL accounts at home and dial-up on the road so they will always have dynamic IP's. These remote users will almost always be behind a router which is NATing them.

I figure I can set up a Windows 2000 Remote Access Server and forward the PPTP port to that server, but my boss does not want to add another server. He is, however, willing to buy an appliance that would replace the crappy consumer Linksys gateway router we are using.

Is there a gateway router/firewall device that can support VPN from dynamic IP remote users without requiring an internal server and does not cost more than approximately $250-$300?

 

[lgarner]

replace the crappy consumer Linksys gateway router" and "200-300" don't quite go together.

A Pix501 would be around $500-700, but is the "home" grade of Pix. A 506 would be my recommendation, but will be $900-1000. However, you will be getting a far more robust and reliable solution than either Linksys or Windows can provide.

 

[JimPletcher]

Somewhere between a "real" VPN firewall (like a justifiably expensive PIX) and a "Consumer Gateway Router", lie the Watchguard, SonicWall & ZyXEL VPN firewalls.

I currently have several ZyWALL 10 VPN firewalls at client locations being accessed via SSH Sentinel VPN clients from user home locations (all behind NAT routers). A ZxWall 10 is in the $250-400 range, and SSH Sentinel 1.4 is around $60.

You can do the same with the Watchguard and SonicWall offerings, as well as with the PIX 501, but it will be a little more expensive.

Check out these offerings for yourself, you'll find it interesting.

 

[Typoman]

Great leads, Jim. Thanks. I looked into the ZyXel products and people have some very good things to say about them. That ZyWALL 10 appears to have the features I am looking for, at the right price.

I have been doing a lot of research, but the terminology and proprietary names for things have my head spinning. Please let me know if my understanding is correct:

With a ZyWALL 10 and a few SSH Sentinel V1.4 IPSec VPN Client licenses, I can have remote users at dynamic IP's behind gateway routers VPN into the office. They will be authenticating to the ZyWALL, so I will not need a server on the office LAN for this purpose.

How do they actually authenticate to the ZyWALL? Do you create a user list in the ZyWALL's interface or do you export a shared key from it?

Thanks for you patience. I am just finding a lot of marketing mumbo jumbo at manufacturer's sites, and other places only suggest a Microsoft RAS.

 

[JimPletcher]

No extra server required, Zywall becomes the VPN endpoint.

VPN authentication is handled by an 8-digit code that you enter at the Zywall and SSH Sentinel client. You still have to handle Windows authentication.

For real information about ZxXEL products, go to:

http://www.dslreports.com/forum/zyxel

Some of the forum participants are beta testers, dealers and EXPERT users (I'm not). You'll find a lot of good ZyXEL information there.

When your only tool is a hammer, every problem looks like a nail. There are a LOT of good ways to accomplish most things.