Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

VPN Solutions for Small/Medium Businesses? 126

Posted by Cliff
from the a-network-in-a-network dept.
artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"
This discussion has been archived. No new comments can be posted.

VPN Solutions for Small/Medium Businesses?

Comments Filter:
  • One word: PIX (Score:4, Informative)

    by overlord2 (136876) on Tuesday April 25, 2006 @10:33PM (#15202284)
    Depending on what you mean by a 'small' company, I would look into using a Cisco PIX 506E. On CDW right now, they're ~$830. It sounds like it would meet all of your needs. I've used the PIX 506E for several smaller sites and it 'just works.'

    • Re:One word: PIX (Score:5, Informative)

      by zerocool^ (112121) on Tuesday April 25, 2006 @11:00PM (#15202390) Homepage Journal

      Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company [cdw.com], and buy yourself a nice 24" LCD with the leftover $700.

      30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.

      ~Will
      • I have been struggling with QuickVPN and a RV042 recently. Basically, it works in some cases and not others.

        I eventually solved the problems, but the solution involved bypassing the client side QuickVPN software. There are plenty of postings on the web about the problem and Linksys support are basically unresponsive. However, I am pretty sure I know the root cause of the problem.

        On the plus side, I can't see any evidence that the tunnels that I have created using my home-brew solution are counted against th
      • Re:One word: PIX (Score:1, Informative)

        by Anonymous Coward
        I have an RV042 and a PIX 501 at home.

        The RV042 is a horrible product. It reboots constantly, getting the VPN to work is a nightmare, and Linksys support is absolutely horrible. Linksys can't seem to be able to put out a decent VPN product.

        The PIX 501 just works. VPN was an easy to setup and there is lots of free support on the web and in the newsgroups.

        Based on my experience with the 501, the 506 would be a much better solution.

        Linksys != Cisco.
      • Some disclaimers first:

        * I don't know Cisco at all
        * I've never used this particular router
        * I'm more of a Sonicwall guy than anything

        That being said, I set up a Linksys VPN router / 8-port switch at a client site. Overall it was a pretty good unit, but the issue was with the Linksys VPN software. Not only is it very crippled compared to Sonicwall's client software - I assume they do this on purpose to get you to go with a full featured Cisco - But the software appears to just be a wrapper for Win XP's defau
      • The Cisco Pix (now ASA) product line are not even distantly related to any LinkSys on the market. Cisco does not make Linksys products. Linksys makes Linksys products. Yes, I'm well aware that Cisco bought Linksys on 3/21/03 but that does not change the fact that Cisco's and Linksys products are not in any way related, yet. There isn't a single product in either company's arsenal that crossover. I work for a Cisco Partner and I with Pixs every day.

        That said I'd recommend either a Pix 501 or 506 for a

    • Re:One word: PIX (Score:2, Informative)

      by NeonSpirit (530024)
      Be carefull with any Cisco PIX devices, whilst they work well and run the same code accross the product range (mostly) licensing and maintenance can be a pain. Funtionality is also dependant upon product, i.e. Failover is not available at the bottom end.

      Maintenance is especcaly irritating when it comes to the Cisco VPN client, you cannot obtain a legitimate copy from the Cisco website, without a maintenence agreement. And there are fairly frequent updates.

      • Cisco is actually not that bad:

        I have determined that Watchguard apparently charges 30% for the annual maintenance and software rights - so while it might be cheaper upfront, the costs add up. Cisco's contract is in the high teens annually.

        Netscreen will charge you the current years maintenance, and all the back years' if you want to get an old/user netscreen's service reinstated.

        I know cisco sells a one time upgrade SKU, if you just want to upgrade the firmware on your hardware (I am not sure if it is avai
    • Re:One word: PIX (Score:3, Informative)

      by nologin (256407)
      If you are going to try to go with Cisco for VPN, I'd recommend going with an ISR (Integrated Services Router) before going with a PIX. You can get a good 830 series (for a really small setup) or an 1811/1812 for the same price as the PIX 506E, but it offers a lot more features. Firewall, VPN, IPS, built-in switch, router, and wireless (on the 1811/1812). It can't all be bad.

      Oh, and to answer the cross-platform question, there are VPN clients for Windows, Solaris, Linux and Mac OS X.
  • Try Hamachi. (Score:3, Informative)

    by Futurepower(R) (558542) <MJennings.USA@NOT_any_of_THISgmail.com> on Tuesday April 25, 2006 @10:42PM (#15202320) Homepage
    I've been trying Hamachi [hamachi.cc]. It seems to work as advertised. It makes a connection between a computer behind a hardware and software firewall with a cable ISP and another computer behind a hardware and software firewall with a DSL ISP. Both hardware firewalls have NAT (Network Address Translation. I know not everyone who reads Slashdot works with this.)

    However, the cable ISP is Comcast. Comcast, in this area, seems to throttle or stop anything besides HTTP traffic.
    • Other issues:

      Hamachi setup: The setup time for Hamachi is exactly what they say: A few minutes. The interface is a bit quirky, and the documentaton is limited.

      Anyone using Hamachi may want to run it as a service; see this explanation from Cyberonica [cyberonica.com].

      Insecurity: Hamachi uses a very sensible technique for getting around firewalls and NAT. So does Skype VOIP [skype.com]. Of course, that means firewalls and NAT are not really protecting us.

      In no way am I saying that Hamachi itself is insecure. I don't think t
    • Note that OpenVPN requires that you have access to the router to open a port.

      Hamachi works when you don't have access to the router. In some cases in which the router in administered by someone who won't give you access, Hamachi can work where OpenVPN won't.
  • Openvpn (Score:4, Informative)

    by Anonymous Coward on Tuesday April 25, 2006 @10:50PM (#15202343)
    Why not use openvpn ? We run this on Linux, Openbsd and Windows.
    • We looked at OpenVPN [openvpn.net]. It looked like a lot of work to get it to function behind a NAT firewall. A google search restricted to the OpenVPN web site [google.com] brings up many, many questions, and not many answers [telindus.be].

      Anyone have experience?
      • We tried a Google search that eliminates mailing list messages [google.com], which mostly seem to be answered in a very limited way.

        As you can see, there are very few documents that mention NAT firewalls.

        In some ways OpenVPN appears to be a typical Open Source project. Documentation is often more work than writing the program, and most Open Source developers don't want to do the documentation, and don't want anyone else to do it, because of perceived loss of credit.
        • You might want to try contacting the author to see if he is available for consultation. My company hired him to build our prototype system - his rates are very reasonable, and obviously he is the authority since he wrote it.
        • By the same token, the lack of documentation causes the project to be less useful. However, it seems that many open source developers start their projects with the goal of making money someday through implementation services, and writing a successful open source app that people want to use but not documenting it means that people will pay you to set it up and train their employees. If this is your goal, then it is probably in your best interest not to write good documentation.

          Open source stopped being about
      • by arivanov (12034) on Wednesday April 26, 2006 @01:13AM (#15202763) Homepage
        Bollocks.

        It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.

        If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.

        A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.

        In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.
        • I agree. OpenVPN is a very customizable, secure, and inexpensive solution. If you don't know how to set it up with firewalling you can check out The Endian Firewall Distro/Project http://www.efw.it/ [www.efw.it] It is based on IPCop http://ipcop.org/ [ipcop.org]
        • Does OpenVPN require opening a port in the hardware firewall? Can OpenVPN establish a connection when the firewall does not have an internet address, but is connected to another firewall, over which we don't have control?

          I don't see anything on the OpenVPN web site about this.

          One side of our system is behind a NAT with an Internet address. The other side is at an international airport, and we don't have control over the Internet arrangements there. We can only connect to their firewall.
      • I have set up a new firewall at home last weekend using FreeBSD, PF, and OpenVPN. I haven't used PF and OpenVPN before and it took maybe one afternoon to set it all up so it's not that hard. (no, not a simple home version, but one involving crossing a firewall at work, and on my side separate networks for internal, dmz, and wireless) I'd say give it a shot and just build two test machines, especially because you can monitor realtime what PF is doing by using tcpdump on the pflog0 interface.
      • by Wudbaer (48473)
        I can confirm that it works fine with multiple clients behind a NAT firewall (which more often than not totally fucks up commercial IPSec-based VPN clients). I mean - it's basically SSL, so there is no reason why it shouldn't. Setup was a breeze, reliability in my book is very good. OpenVPN is much much better than the Watchguard MuVPN solution I replaced by it (basically a souped-up OpenSWAN with the SafeNet Soft Remote Client). Also clients are available for all mainstream platforms, which is also always
        • I've been using OpenVPN to connect to my server and nat thru it to a client's network :

          [home] -(openvpn1)-> [my company network server] -(NAT on openvpn2)-> [client's network].

          works perfect, and setup was extra easy on a gentoo server.

          check out the howto [openvpn.net], especially the quickstart guide to get an idea of how it works.
          I'm using it alongside Shorewall (in each vpn conf I assign a particular tun device, which I can refer to in the shorewall conf.. this makes traffic rules configuration as trivial as some
  • IPCOP (Score:3, Informative)

    by mcamino (970752) on Tuesday April 25, 2006 @10:50PM (#15202345)
    Hey. We run a medium sized ISP out of wilmington, delaware and we have hads GREAT luck using IPCOP and Linksys BEFSX41 endpoints. The linksys routers are easy to setup and configure and they can be bought cheaply on ebay or any staples or compusa. IPCOP is completely linux based , The setup is more idiot proof then a windows install, and it has a web based admin which rivals standard stand-alone routers. Ipcop can run on tons of hardware configurations. We personally run it with 5 Network cards and it handles the VAST MAJORITY OUR OUR ROUTING needs. did i mention ipcop is free? Give it a try.
    • Agreed. I use IPCop to link five regional offices. Net-to-net VPN with IPCop is great. "Road-warrior" IPCop with Windows clients is tough to get set up, which is why some people run OpenVPN in concert with IPCop, or use client-side hardware as the parent poster does.

      For offices ranging from 5-35 employees, I use old 200-400MHz Dell desktops with ~128MB RAM and 4-8GB hard drives as the IPCop routers.
    • by InitZero (14837) on Wednesday April 26, 2006 @08:45AM (#15204191) Homepage
      I have used IPCop for many, many months. With
      the OpenVPN addon, it makes a sweet RoadWarrior
      setup. The OpenVPN GUI is even easy enough for
      our executives to use.

      For us and our 30-something employees, it cost
      us nothing to put IPCop online. It ran for a
      year on a P-III/700mHz/256M Dell. We recently
      upgraded the RAM to 768M so we could make better
      use of the Squid cache.

      You can get an IPCop server online with VPN in
      under an hour. As long as you have a computer
      in the spare parts closet, IPCop is far less
      expensive than any other solution.

      Matt
    • I'll second this. A lot of people are recommending OpenVPN, however setting up a firewall with OpenVPN from scratch isn't exactly a trivial task, even for a netadmin. If you use IPCop you'll be getting the firewall ready to go, with the option for support, and OpenVPN is a drop-in-and-execute mod. I've been using IPCop/OpenVPN for over a year now and loving it. IPCop's web interface is as easy to use as any Linksys router, only far more powerful.

      You can use the built in FreeSWAN VPN features to establish ne
  • by mnmn (145599)
    Since its a small company, I assume you use a windows2000 or 2003 domain. Use an OpenBSD box that redirects PPTP connections to the windows server.

    Sure there are superior systems but they dont necessarily 'fit' into the small business wintel setup. If youre running an all Linux network, you wouldnt be asking this question and you sure as hell wouldnt look around for commercial offerings.

    If your users are OK with typing in an extra password, use OpenBSD's own SSH or ipsec based VPN, and L2TP on the client wi
    • you might try a nortel contivity vpn box. We have had good experiences with them where I work. You can run a client then to connect to it or if you opt for the SSL model then you can just hand out the webaddress and a java based client will run. It's fairly easy to setup. Support seems great (but I work directly with the companies nortel rep) We're just starting to roll them out company wide two 100 seat boxes. We've had beta users on the SSL VPN portal for months. The normal client version has been in pr
      • I agree. I have used Contivity boxes and they are very nice indeed.

        They are extremely easy to configure, and with RADIUS support, you can authenticate users off of a Windows Domain, Novell eDirectory, or a Unix system, whatever.

        The SSL card should not be totally necessary, depending on how many users, and the smaller onces are quite affordable.

        I came into a company that had an outsourced VPN solution that was generating some 20 calls a day to their help desk. The extremely sad fact of the matter
    • PPTP works well enough for me too. Certainly fits into the 'cheap' basket, although possibly not 'secure' if you are really into that sort of thing (technically it does have encryption though). Funnily enough, it works best without Windows - just install a cheap Linux box as a gateway at each point! (This would allow you to use any of the above VPNs anyway...)
  • Cisco VPN 3000 (Score:5, Informative)

    by anderiv (176875) on Tuesday April 25, 2006 @10:57PM (#15202380)
    At work (~90 employees...I guess that would qualify as medium-sized??) we use a Cisco VPN 3000 Concentrator. It's been rock-solid for us for two years now, and I'd highly recommend it. If you want to go the VPN-client route, cisco has official clients for Mac, Windows and Linux, but the box is also compatible with the PPTP vpn clients that come with most modern operating systems and it's also fully IPsec compatible. So...for example, if you wanted to, you could set up a linux gateway at home that would connect to your work VPN and establish a LANLAN VPN link.

    If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.
    • Re:Cisco VPN 3000 (Score:2, Interesting)

      by _RiZ_ (26333)
      Finally someone with some good advice. I would forget about anything which is considered consumer products. We use a whole host of Cisco 3000 series VPN devices for all sizes of small and large branch offices. We use from the 3002 to the 3030. I have to say, they are ultra reliable, very secure, very well supported by Cisco and the associated community of Cisco users, and has clients for major OS's. Its a win win situation if you ask me. You do have to shell out a little more than the guy who was reco
    • I recommend against Cisco's VPN since they restrict access to local networks, which can be fatal - dhcp, and other 'login' (eg many airports/cafes) mechanisms require access to the local networks. My company moved from a Cisco based system to OpenVPN in order to avoid such issues.
      • I'm not quite sure what you mean by restringting access to local networks. You still need to at least have an IP address before you can set up a tunnel. Also, we have set up split tunnelling on our setup and it works fine. Only traffic destined to our internal network gets sent over the VPN. The problem that we have had with airports is when they are set up in a private IP space that coincides with our private IP space. Too bad it happens to be that way with our local airport.
        • ok, for example, at a place I used to live at, they would make you visit a web page and make you log in. That would open a window in which a javascript script would send a 'heart beat' every so often to keep the connection open.

          No problem at all accessing the internet with just that.

          However, when I use Cisco's VPN client, it'll connect/etc no problem, but when the javascript attempts to send a heart beat, it fails because Cisco's VPN client diverts all traffic over the VPN.

          I've seen other places that use a
          • The VPN 3000 can be configured to leave default routing alone on the client side and only send specific traffic through the VPN. This way you don't need to guess the local network information, and don't load your company internet connection with traffic that does not need to be secured. It's not exactly trivial, but it is documented at http://www.cisco.com/warp/public/471/vpn35-split.h tml [cisco.com] . I wouldn't be completely surprised if the Cisco client still broke something, but we have a few hundred users and
      • They only restrict access to local network if they're *configured* to do so. In our setup, we allow clients' simultaneous access to both their local networks and the remote network.
    • Re:Cisco VPN 3000 (Score:2, Interesting)

      by Fhqwhgadss (905393)
      I would have to respectfully disagree. I run a VPN3030 installation and it has provided numerous headaches when coupled with the Cisco VPN Client for both Windows and OSX. The clients frequently got disconnected from the concentrator until we disabled IKE keepalives and changed the rekeying interval to 8 hours. The WEBVPN feature absolutely sucks, having caused several crashes and rendering several web pages badly. The client for OSX on Intel fails miserably; we're pushing out Cisco's new client for tha
      • what cisco client were you running? it took cisco a long time to really figure out how to deal with xp sp2 firewall enabled. Some of the early 4.0x clients would work, but tcp tunnelling would be broken, etc. Cisco does some wonky stuff with using high numbered ports for messaging between the various parts of the vpn client, and enabling exceptions for them with sp2's firewall never really seemed to work.

        I liked the 3030 a lot. We told the Mac OS 9 users to pound sand, but we did have some people using the
    • I'm going to reply to myself here to try and dispell some of the misinformation that people are posting about the Cisco 3000 series VPN solutions. Several people have mentioned that the vpn restricts access to local networks, that it resets the DNS settings and changes the default gateway. Yes - it *can* do that, but it has to be specifically configured to do so. In our setup, we allow full access to both the local and remote networks simultaneously. After administering our VPN box for two years, I am s
  • DIY VPN (Score:4, Informative)

    by strredwolf (532) on Tuesday April 25, 2006 @10:57PM (#15202381) Homepage Journal
    I've set up a PPTP VPN using a Ubuntu 5.10 server and PoPToP. All you need is to port forward the PPTP port to the set-up server.

    Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:

    http://mcarpenter.free.fr/Dev/pptp.php [mcarpenter.free.fr]

    All works fairly well.
    • PPTP sucks if you're behind a NAT. You tend to get issues where you can connect fine once, but then you can't connect again properly for hours. I think what happens is the NAT can't always tell when the PPTP connection ends and keeps the ports tied up on the router, preventing another connection from succeeding. I haven't tried very hard to find out what the exact problem is though, as it's not very obvious.
  • Poptop (Score:4, Informative)

    by PAPPP (546666) on Tuesday April 25, 2006 @11:04PM (#15202402) Homepage
    If you want good integration with windows (read: PPTP), and want to keep it on a nice cheap *nix box, try Poptop [poptop.org]. Runs on most any *nix, entirely compatible with the builtin PPTP support in recent versions of windows. I've been running it for my own purposes (admittedly not on a "small business" scale, only one or two users) for years on a modest linux box and it hasnt given me any trouble connecting from WinXP or linux clients.
    • Just one problem with this.. it seems like using it with the Microsoft client will pretty much restrict you to MS-CHAP v2, which is horrendously broken (as described on the poptop website: wildly insecure. It looks more easily broken than WEP, and WEP is pretty damn easy (apples and oranges, but still..)

      OpenVPN looks to be about the only really good choice at the free level. If I'm wrong, I'd love to know about it, though.
  • Windows Server 2003? (Score:1, Informative)

    by Anonymous Coward
    I'm not sure if you are using Windows Server 2003 on site, but if you have a license to it then Microsoft already has a VPN solution. See this how-to:
    http://blog.hishamrana.com/2006/04/07/how-to-windo ws-2003-vpn-server/ [hishamrana.com]
  • OpenVPN (Score:5, Informative)

    by peacefinder (469349) * <alan...dewitt@@@gmail...com> on Tuesday April 25, 2006 @11:17PM (#15202452) Journal
    Go to openvpn.net. It's very straightforward to get a multiuser openvpn server up, using pre-shared keys or certificates. It's free, it's simple, it's multiplatform, and it's sufficiently secure for business purposes.

    (However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)

    If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.
    • Re:OpenVPN (Score:3, Informative)

      by jamesh (87723)
      I second that. Dead easy to set up, and does almost everything you could want.

      The one and only 'gotcha' I found, is in situations where PTMU isn't working right and you are using compression on the tunnel packets. The MTU of the tunnel thinks it's 1500, but it should really be 1500 less the tunnel overhead. A ping shows that a 1500 byte packet gets though, but only because it's easily compressible data. When you start moving actual data around suddenly connections hang for no readily obvious reason. It coul
  • by Xenophon Fenderson, (1469) <xenophon+slashdot@irtnog.org> on Tuesday April 25, 2006 @11:33PM (#15202506) Homepage

    I really like OpenVPN [openvpn.net]. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to [openvpn.net]. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws [schneier.com]. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel [sites.inka.de] and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea [sites.inka.de].

    I'm using OpenVPN to tie routers running OpenWRT (Linux) [openwrt.org], routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.

    • OpenVPN is great. We've tried the PPTP thing, but there is a tendancy for users to dink with settings that end up with unwanted traffic on our network (e.g. default route goes through the vpn).

      OpenVPN puts all of this in a config file even on windows. Distribute the config and installation package and you're done. Need more security? Distribute the key files as well.
      • Odd. In our case we WANT the default user route to be forced through the VPN. That way we control exactly what they do WHILE on the VPN. I loved that about the Cisco VPN Client. Captive VPN. But oddly enough, the Netscreen client doesn't really work the same way even though SafeNet makes both of them.
        • I would avoid safenet stuff like the plague...
          Looking at their own safenet branded vpns -
          The windows client crashes when you send certain ipv6 traffic to it's mac address (it locks up solid, you have to power cycle)
          The linux client requires redhat 9 with it's default (no patches for the local kernel vulns discovered in 2003) kernel and a particular version of sun's jre (which is no longer available from sun's site due to being so old), and even then still doesn't work properly.
          The solaris client only works
    • You do realise that that Schneier article about flaws in Microsoft's PPTP is eight years old, right?

      Microsoft released a patch/upgrade (DUN 1.3) for Windows 95, Windows 98 and Windows NT 3.51 which Schneier agreed [schneier.com] fixed most of the problems.
  • My Experience (Score:3, Informative)

    by Anonymous Coward on Tuesday April 25, 2006 @11:35PM (#15202510)
    Maybe I'm just an idiot, but OpenVPN was difficult to sort out in the beginning. There really needs to be a quick setup guide that'll get you running in under 10 minutes. If not that, then maybe a GUI solution that's better than what currently is in place, especially for Windows installations. If this was done, I can imagine that OpenVPN would gain much more wide acceptance.

    I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.
    • There are currently easy-to-find howtos that take 10-15 minutes to set up a simple VPN, and they are clearly marked on the OpenVPN website. The Windows client, while it doesn't have a GUI, it is a service, which makes it fairly simple to enable/disable with a GUI, or just leave on all the time. Config files can be copied from one client to another, only a couple of lines need be changed -- and it's possible to avoid even that.
    • I don't know when you tried it, but when I did (recently) there was a 'quick setup guide' and it took me less than 10 minutes to set up with a simple pre-shared key.
      • I tried this about 2 years ago. 10 minutes was just about the compile time. I finaly got it working after about two weeks and thought about using another solution if it ever went down. I don't support that site anymore and have no clue what they are using now. Things must have realy changed in the last year or so.
        • I guess they must have; not only did I set it up within 10 minutes, I instructed someone how to set it up who had never set up a VPN before in around 10 minutes. The example that comes with OpenVPN is just about ready to go for a simple preshared key setup - just substitute your own information where necessary.
          • I'm goign to have to revisit this then. Sometimes i forget that in open source the development cycle is multiple times faster then regular software. It is good to here it is alot better.
    • Re:My Experience (Score:5, Informative)

      by youngerpants (255314) on Wednesday April 26, 2006 @07:40AM (#15203789)
      I have very recently (last week) set up an OpenVPN service for one of my clients on an Ubuntu box.



      http://www.itsatechworld.com/2006/01/29/how-to-con figure-openvpn/ [itsatechworld.com]

      That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.

      • That is a really, REALLY nice guide.

        For those who say that OpenVPN's guide is straightforward either have years of networking experience behind them, or simply haven't tried to set up OpenVPN with it. (That is, at least on Windows)

  • Astaro (Score:3, Interesting)

    by dracocat (554744) * on Wednesday April 26, 2006 @12:08AM (#15202608)
    I have definately become a fan of Astaro [astaro.com]. It is not free, but in my opinion very reasonable, and worth the cost in time savings. It works with the built-in windows client, and the thing pretty much installs and sets itself up. They have a free 30-day full featured demo, and the entire thing is free for "home use".

    Did I mention I have become a huge fan? or was it already obvious?
  • you don't tell us enough about your proposed VPN topology...

    still, OpenVPN can do it all, so I vote for that.
  • *shrug* (Score:3, Informative)

    by Theatetus (521747) on Wednesday April 26, 2006 @12:14AM (#15202625) Journal

    Small company? Then either openswan or PPTP on a commodity server. No need to take sledgehammers to a cockroach.

  • DUPE.

    http://slashdot.org/comments.pl?sid=182998&cid=151 23283 [slashdot.org]

    I know, I know, that one said "distributed". Sheesh. My answer remains the same. OpenVPN, like 90% of the answers here. :P

    I'm not being cynical. I'm just tired. :D
  • M$oft. (Score:4, Funny)

    by ikejam (821818) on Wednesday April 26, 2006 @12:42AM (#15202688)
    MS ISA Server.

    HEY I'm just providing an alternative.
    • Re:M$oft. (Score:1, Insightful)

      by Habahaba (824033)
      I agree. MS ISA is easy way to go and small / medium sized company is likely to have Exchange and / or Windows 2003 server anyways.

      Besides, the client is already included with WinXP...

  • I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 [netscreen.com] in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not ab

  • Hamachi is pretty much what you're looking for.

    Or if you like to stuff around, OpenVPN.
    • How is Hamachi what you're looking for? I could be mistaken but I gave Hamachi a whirl cause it was quick to get up and running and basically it just lets you browse the machine you install hamachi on in the remote network. I'm not sure about this user but for me VPN needs to let me logon to the domain remotely. For example, my client has his company laptop at home and he logs onto the company domain via vpn so as far as he's concerned he's connected to the lan. Can you do this with OpenVPN?
  • I was just looking for something to do this same thing. I haven't solved the problem yet, but Netgear and Linksys have some inexpensive stuff. I ordered the Linksys RV042 and it should arrive today. I'm anxiously awaiting setting it up and testing it because of the Dual WAN functionality. My second internet connection should arrive on Thursday :)

    http://www.netgear.com/products/business/prod_vpnr outer_wired_security_sb.php [netgear.com]
    http://www.linksys.com/servlet/Satellite?c=L_Produ ct_C1&childpagename=US [linksys.com]
    • I was just looking for something to do this same thing. I haven't solved the problem yet, but Netgear and Linksys have some inexpensive stuff.

      Dude, there is a reason why they're inexpensive. If you stick to exactly the same model with the same firmware version at each site, you might be OK as long as you don't do anything too strenuous with it. Or expect it to work the majority of the time.

      If this is something you're doing at home then fine. If you're proposing to implement a corporate VPN with consumer rou
  • m0n0wall (Score:1, Informative)

    by Anonymous Coward
    I setup an IBM x300 server and m0n0wall [m0n0.ch] as my router and it has worked fantastically. It supports IPSec tunnels, as well as PPTP connections. I have two IPSec tunnels to remote sites which both have PIX routers (501 and 506E), as well as connections from remote PPTP clients which is easy to setup and I have never had any problems. Highly recommended for anyone looking for both a simple and powerful solution.
  • You might want to consider the Java based SSL Explorer [3sp.com] as a possibility. No client side code is required, just a browser and one hole punched through the firewall to the server.

    LW
  • Or is this just a stupid question? Every firewall product I have seen in the past 5 years (I have used NetScreen, Watchguard, Fortinet, Cisco PIX and Cisco ASA units) has IPSec VPN capability built in. IPSec is a standard and is supported in a wide variety of clients available on just about every operating system. Being a standard it is also compatible with other firewall/VPN vendors' implementations of IPSec. Assuming that your small/medium business has a firewall, just use what it has built in. Licen
  • I was asked by my boss to evaluate VPN between the red interfaces of two IPCop [ipcop.org] machines. Talk about simple. I don't know exactly how well it scales, but it can't be horrible. Today, one of my tasks is find out if and how well it works with m0n0wall and in roadwarrior configuration.
  • There isn't enough information provided, but it sounds like a pretty small operation and simplistic setup sounds like what you need.

    A main office with several small satellite offices (or small retail stores) I would suggest SonicWall product. (or NetScreen) Small remote offices can use the small single point VPN TZ series devices that allows a single site-to-site VPN and the main office can use a larger product like the 2040 or the 5060 with support I beleive 50 and 2000 VPN sessions respectively. (with s
  • Secure VPN goodness in ten easy steps: IPCOP-OpenVPN HOWTO [thinkhole.org].

    Free, it works great under both Windows and Linux, and you don't need to be a computer whiz to setup your laptop to connect to it. Good stuff.

  • by WuphonsReach (684551) on Wednesday April 26, 2006 @08:41AM (#15204161)
    One of the big issues with VPN technologies is the NAT routers that protect home offices. The corporate office side is easy, just punch the appropriate holes in the firewall and the remote clients can easily connect to the network.

    Where things fall apart is that you have multiple laptop users who are behind their own NAT routers at their homes. You need to use VPN software on the laptops (not on the NAT routers) because you only want their work machines connecting in. That's easy enough, until you run into a situation where you have 2 or 3 users who get together and collaborate frequently behind a single NAT router.

    It seems like PPTP (maybe SSL?) was better suited for situations where you might have multiple users VPN'ing in from the same source IP address (hidden behind a NAT router, such as an ad-hoc meeting in someone's house or multiple users meeting in a coffee shop). All of my readings on IPSec indicated that IPSec can't handle that particular usage style.

  • snapgears! (Score:4, Interesting)

    by alta (1263) on Wednesday April 26, 2006 @08:43AM (#15204166) Homepage Journal
    Cyberguard bought snapgear, but they still sell the same products. These are great little boxes that we used to set up a 7 office network across the state of alabama across whatever networks were cheapest (cable, dsl, T1)

    We had 530s in each of the hub offices and a 575 in the main office. (Still have the 575, have since closed all the branches) I still have the 530s and I refuse to sell them because they are such nice little boxes. I'm going to take one home and make it vpn back to here.
  • We have 2 vpn methods. Our main vpn is a hub and spoke topology where our branch offices all connect into our corporate hq. What we use in this case are cheap off the shelf Netgear routers + either dsl, cable, or T-1 connections to our corporate hq which has 3 T-1 lines bonded. The branch routers are FVS318v3 (the v3 is very important much improved processor + ssl for remote mgmt). Our hq uses a FVX538 which has fail-over and load balancing capabilities. I know some do not like Netgear but we have been usin
  • I have a very small business with three locations (one is my home). The ISP connection varies some are Comcast some are Verizon residential DSL.

    As I see it I have three problems. 1. The IP address will be dynamic from the ISP's and 2. Most of the PC's are running Win XP home 3. Would prefer a no cost solution

    I would like to be able to remote desktop (ie contral/access) any pc from any location.

    I have successfully installed http://hamachi.cc/ [hamachi.cc] Hamachi to address the dynamic IP issue but am working on the XP
  • racoon ISAKMP daemon (Score:3, Informative)

    by Jizzbug (101250) on Wednesday April 26, 2006 @10:09AM (#15204820)
    racoon is a very good Internet Security Association Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) daemon. It is used to auto-negotiate keys for IPsec sessions.

    At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).

    We also have a third concentrator which is configured to use Xauth and /etc/passwd for authentication. This concentrator allows the Cisco VPN Client software to connect into the network for Road Warrior style access (also does much better with NAT traversal than tunnel-mode IPsec).

    It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).
  • Check out http://pfsense.org/ [pfsense.org]. FreeBSD 6.x based, uses pf packet filter, supports multiple VPN protocols, runs on embedded hardware as well.

    Running it now on Soekris Net-4801 device http://soekris.com/ [soekris.com]. Sweet. Smooth.

  • You don't state how many users you have, whether you're using the VPN for site to site or user access, but: I just read about the Sonicwall SSL-VPN 200. Since its SSL it doesn't need a client installed on your users machines and is much easier to configure than the Cisco. For Windows users, there's even an applet that allows TCP/IP applcications to connect to their servers. I've not tested it, but for $600 bucks it's not to bad a deal and Sonicwall has always made good hardware. If you already have a fir
  • Has easy-to-use built-in PPTP and L2TP VPN that works with Windows, Mac OS X and Linux clients. It also includes nice goodies like Apache, Samba, Directory Services, Jabber Server, etc.

    Of course, you need a Macintosh to run it. I would suggest a Xserve G5. They're very nice. But any 'ol Power Mac or Dual Core will do...
  • How small? (Score:3, Informative)

    by WhiteWolf666 (145211) <{su.narima} {ta} {niwrehs}> on Thursday April 27, 2006 @11:49AM (#15213456) Homepage Journal
    Are we talking 5-10 man offices, over a DSL line?

    Get a WRT54G. Run DD-WRT. Use either the PPTP server or OpenVPN.

    Done and done.

    Of course, your WRT54G won't handle more than 10 users or so; you'll want to switch to a dedicated box or router for that. But you can't beat it in terms of cost/avaliability-- you can get this sucker up and running in 5 minutes flat, pick one up from bestbuy for ~$50, and there are no moving parts whatsoever.

    For a very small office, its great. For a series of small offices in a larger company, its okay too. We use this sort of segmented VPN in our offices because of bandwidth reasons; we don't have enough uplink at any given location to really setup a better solution, and we can't financially justify purchasing more than 1 Mbit/s of uplink anywhere.
  • pfSense [pfsense.org], now in late beta, is the solution.
    It's FreeBSD 6.1+OpenBSD's pf + ALQ-Traffic-Shaper+IPSEC+PPTP + CARP + lot's more stuff all wrapped into an easy to understand interface.
    Forget about all the other firewall "GUIs" (or lame attempts at GUIs) you've seen before, especially for the unreadable, ever-changing Linux-firewall engines.
    pfSense has the performance, the feature-set, the reliability and the usability to be a real Checkpoint- and Netscreen-killer.

    One quote from the mailing-list says it

  • by PFactor (135319) on Friday April 28, 2006 @07:00AM (#15219836) Journal
    Citrix bought a company called Net6 a couple of years ago. Net6 made an SSL VPN "appliance", which runs a hardened Linux OS. Citrix rebranding it as the "Citrix Access Gateway", or CAG.

    The 1st iteration was not so good because they rushed the rebranding and integration stuff. The 2nd and 3rd iterations were OK.

    The latest revision is quite good. It supports around 2000 concurrent users, has easy to use yet powerful access controls and integrates nicely with Citrix's Presentation Server 4 product.

    The cost is pretty good: the box is $2500 and licenses retail for around $100/concurrent user. If you have 100 users and your highest expected concurrent remote access count is 25, your cost would be $2500 + 25 x 100 = $5,000. If you buy 2 boxes (they have a built-in failover mechanism for redundancy), the cost would be $7500.

    I work for a major healthcare provider and we're replacing Cisco VPN concentrators with the CAG. We bought 4 CAGs and are using Citrix's Advanced Access Control (AAC) product to integrate the CAGs with our internal portals (AAC makes the cost go up pretty high, though). We have around 40,000 users and our max concurrent remote users is currently around 4,000.

    Check it out: http://www.citrix.com/English/ps2/products/product .asp?contentID=15005 [citrix.com]

    And no, I'm not the CEO of Citrix in disguise. I just believe in their products; we've saved a ton of $$$ using them!

There must be more to life than having everything. -- Maurice Sendak

Working...