Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Manageable VPN Solution

Options
  • 09-03-2007 2:50pm
    #1
    djr
    Registered Users Posts: 230 ✭✭


    hi,

    i'd love a bit of advice from someone knowledgeable in the are of VPN's.

    the company i work for is quite a geographically varied (i.e. 80 locations around dublin city/county) organisation, who at the moment have a mixed bag of VPN types. we run a windows 2003 VPN server for 75% of our locations, and PTP VPNs for the rest.

    essentially, everything connects to the head office (192.168.24.0/24). all other networks are also /24, so this makes creating the VPN's easy. at the head office we have a linux VPN terminator (running smoothwall atm). this currently terminates 20+ tunnels, originating from 2 other smoothwalls (the other 2 "office" locations in the diagram) and approx 18 Zyxel 662HW's (represented by the houses and factorys). this works pretty well, with all the Zyxel-connected units able to speak to the 3 linux-connected networks.

    the zyxel tunnels have a local subnet of 192.168.x.0/24, and a remote of 192.168.0.0/18 (or 192.168.0.0/255.255.192.0), which nicely summarizes our office networks. the reason all the remote units need access to all 3 offices, is that we have regional email servers, each running OWA, and anyone from one of those offices needs to be able to travel to any office or house and still check their email.

    the 3 offices have fixed-ip wireless connections, and all factorys and houses have 1/2/3mb ADSL. this poses a slight complication with using a standard device across all locations, as standard VPN devices only have a WAN port, not a built-in ADSL modem. using an ADSL modem in bridged mode is not an option, as we're only allowed to use 1 physical box per house/factory.

    the zyxels are working great, but as they're only at the lower end of the scale in terms of zyxel's overall product range, they're not manageable. this poses a problem with expansion, as any changes that need to be made to all modems (updating firewall rules, changing syslog server etc) need to be performed manually across all devices. now, seeing as there's already 20 of these 662HW's, and potential to deploy another 50-60 of them, i don't really see manual configuration as an option, as i quite like my free time on evenings and weekends, thank you very much.

    so, to summarize, i'm looking for a single-vendor solution for 70-80 ADSL/Ethernet routers (mostly ADSL, but as i said i need to have an option for Ethernet too), and 1 VPN terminator (something that can handle upwards of 70-80 concurrent tunnels.

    now, i've come up with 2 possible options for the remote connections:

    3com 3030/3036 (see here)

    fortinet fortigate-60 ADSL / fortigate 60 (linky here)

    obviously, i still need a VPN terminator for the head office, from either of those 2 vendors, and some form of management console to run on some linux/windows server in the head office (like 3com network administrator/director) for centralized management of all devices. i don't know if fortinet do something like that...

    here's a summary diagram of my WAN as it is now.

    mynet.png

    any suggestions?


    ...[edit] i forgot to mention we already use nagios for network availibility, and cacti for historical graphing, so we don't need an overall NMS, just something to centrally manage the routers.


Comments

  • Options
    #2
    _CreeD_
    Registered Users Posts: 4,148 ✭✭✭_CreeD_


    Use a software client for your remote/home users. Most major VPN concentrators come with their own client. This removes your dependance on the client connection type, once they have internet connectivity (and the ISP doesn't block the VPN ports you choose to use) they can VPN in.
    You might also consider a Concentrator with a robust SSL/WebVPN solution, most install as Java/ActiveX controls on any system (from the Concentrator automatically), application support varies between vendors but Outlook support should be common. Again this lowers your cost, hardware dependancy and the amount of configuration/support each device would require.
    I'm a Cisco guy so I'd recommend their VPN3000 concentrator, whichever model and licensing structure that suits your capacity - but that product's lifetime is coming to an end as it has been integrated into the newer ASA units (PIX/VPN3k/IPS all in one) so for future proofing the ASA is the better choice, and having integrated IPS on your remote traffic is a must so it's win-win. Anyway if you did get the concentrator it supports IPSec/PPTP/L2TP so you should have no problem with interconnectivity with other vendor solutions, and you get unlimited software client licenses (WebVPN is restrictid though per license type). You can easily link to it from your existing hardware or get the cheaper 3002 Hardware clients for the branch offices (if you only want them to use that line for VPN traffic) or a plain old PIX firewall if you want to give them their own internet traffic + protection aswell as form a site-site VPN to the concentrator/ASA.


  • Options
    #3
    WizZard
    Registered Users Posts: 6,762 ✭✭✭WizZard


    The most cost effective solution is the software VPN client, but if you are set on a hardware solution you could checkout Checkpoint Edge boxes which can come with ADSL modem capabilities if required, and can be centrally managed too.

    I can recommend a decent reseller for them if you'd like.


  • Options
    #4
    djr
    Registered Users Posts: 230 ✭✭djr


    thanks for the info guys,

    i'm pretty set on a hardware solution alright, as users would have to be "trained" into using a new software client. i'd rather they can just log on transparently. also, neither the cisco nor checkpoint devices you guys mentioned can be installed on their own in our units, as they still require a bridged DSL modem.

    i understand completely why manufacturers don't want to design and build units that have DSL as a connectivity option, as it removes the standardisation of devices, and calls for 2 different models of the same device to be supported. it adds extra complexity at almost every level of the products lifecycle. but, if 3com and fortinet (2 large networking companies) can do it, why can't others follow. i've also looked into netgear and all the others too...

    however, as i stated, i'm only allowed to put in 1 device per location, and as a lot of these cheap-ass modems (billion/viking) are now starting to fail after operating *resonably* well for the last 3 years, that means replacing the modems that are there. now i don't want to buy a quality DSL modem, just for the sake of bridging it, as it adds an extra point of failure that i can't really monitor.

    has anyone any experience with 3com (or fortinet) vpn solutions, or can anyone recommend something similar?


  • Options
    #5
    WizZard
    Registered Users Posts: 6,762 ✭✭✭WizZard


    Did you check out the Checkpoint Edge appliances I recommended? I recommended them because they can come with integrated ADSL modems :)
    http://www.checkpoint.com/products/vpn-1_edge/index.html wrote:
    Available with integrated WLAN and ADSL modems
    ADSL Standards: ADSL2, ADSL2+, T.1413 G.DMT (G.992.1), G.Lite (G.992.2), ANNEX A (ADSL over POTS), ANNEX B (ADSL over ISDN)


  • Options
    #6
    djr
    Registered Users Posts: 230 ✭✭djr


    sorry, wizzard, i did have a look at the Checkpoint devices, but they look to be a wee-bit pricey... they appear to start at ~ €600, which is a bit prohibitive for us. you see, what i forgot to mention is that we're a non-profit / charitable org, and as such budget can be of some concern.

    we would also need to purchase something like this i presume for the head-office end of things... and software to manage it all (which generally ain't cheap)...

    we're looking to spend not more than €400 for each remote office, and something like €2-3k for the head office terminator.


  • Advertisement
  • Options
    #7
    _CreeD_
    Registered Users Posts: 4,148 ✭✭✭_CreeD_


    djr wrote:
    i'm pretty set on a hardware solution alright, as users would have to be "trained" into using a new software client.

    vs.
    djr wrote:
    budget can be of some concern.

    The 2 don't really match. Software is cheap and quite simple to use, Click Connect....enter password....done, to avoid which there is a relatively large cost in hardware and configuration time. But it's your show and whatever you feel comfy with ;) .


  • Options
    #8
    djr
    Registered Users Posts: 230 ✭✭djr


    good point creed,

    but you see i need to get rid of the current p.o.c. DSL modems that we are using at the moment, because they cause error 769's every second bloody day :mad:

    so all told, i'd rather get rid of all the current hardware that's really starting to show it's crappyness, and put in a proper hardware solution that doesn't need to be installed onto every new pc we put out in these "offices". also it's handy using dameware/remote desktop over a hardware device, as you can troubleshoot a pc using only it's IP address, rather than needing the user to initiate the VPN connection (or even log in) before you can even attempt to administrate the pc.


  • Options
    #9
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 91,840 Mod ✭✭✭✭Capt'n Midnight


    unless you know a corporation upgrading their wan and you get their gear

    the Zyxel have up loadable configurations and a telnet interface

    can you edit the config or parts of it before uploading ?

    With telnet you can store and record the config updates and then play them back - most of the configs should be the same on all routers - so you have a few spare and test them , then you are just telnetting into the others - if you are really brave you could add the IP address and password to the text file so it is all automatic !
    - if the config is like a CISCO IOS happy days
    - if it's more menu driven then you have to make sure to add in lines to get to the root menu first to be on the safe side


  • Options
    #10
    djr
    Registered Users Posts: 230 ✭✭djr


    i have "partial" configs already for the zyxels, these contain details like the vpn encryption configuration, syslog server, firewall rules etc...

    that's about the only way to get a consistent config between the devices, but even then in the 2 years we've been using zyxel's, the same product number has gone through major interface changes. the telnet interface has gone from being menu-based to a full cli, though i must admit that the web interface has improved dramatically. this, of course, means that the blank configs i have for one hardware revision (not firmware) of a device won't work on the newer version! :mad:

    if i were to automate changes to the devices, one would have to be very careful when sending out new configs (though i suppose that's par for the course with central management), or one could unintentionally disable parts or all of the wan.

    tbh i know what you mean about using scripts and blank configs, but the configs aren't even simple text files, they're not editable with any text editor. the only way to edit them is to actually apply the config to the relevant device, make changes in the web interface / telnet interface, and write the config back to a file using the "backup config" menu option. that's all a bit of a pain with 50+ devices in the future :(


  • Options
    #11
    joePC
    Closed Accounts Posts: 1,637 ✭✭✭joePC


    Take a look at the Cisco 877 devices, they have an ADSL modem option and are extremely stable.


  • Advertisement
Advertisement