VPN Solutions for Small/Medium Businesses? 126
artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"
One word: PIX (Score:4, Informative)
Re:One word: PIX (Score:5, Informative)
Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company [cdw.com], and buy yourself a nice 24" LCD with the leftover $700.
30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.
~Will
Re:One word: PIX (Score:2)
I eventually solved the problems, but the solution involved bypassing the client side QuickVPN software. There are plenty of postings on the web about the problem and Linksys support are basically unresponsive. However, I am pretty sure I know the root cause of the problem.
On the plus side, I can't see any evidence that the tunnels that I have created using my home-brew solution are counted against th
Re:One word: PIX (Score:1, Informative)
The RV042 is a horrible product. It reboots constantly, getting the VPN to work is a nightmare, and Linksys support is absolutely horrible. Linksys can't seem to be able to put out a decent VPN product.
The PIX 501 just works. VPN was an easy to setup and there is lots of free support on the web and in the newsgroups.
Based on my experience with the 501, the 506 would be a much better solution.
Linksys != Cisco.
Re:One word: PIX (Score:2)
* I don't know Cisco at all
* I've never used this particular router
* I'm more of a Sonicwall guy than anything
That being said, I set up a Linksys VPN router / 8-port switch at a client site. Overall it was a pretty good unit, but the issue was with the Linksys VPN software. Not only is it very crippled compared to Sonicwall's client software - I assume they do this on purpose to get you to go with a full featured Cisco - But the software appears to just be a wrapper for Win XP's defau
MOD parent down as an idiot (Score:3, Informative)
That said I'd recommend either a Pix 501 or 506 for a
Re:One word: PIX (Score:3, Informative)
But for any size business I don't think a pix 501 is a good choice for a VPN concentrator.
If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?
Re:One word: PIX (Score:3, Informative)
There are some limitations with the windows built in pptp services. This isn't even starting to mention that it is less secure (but sufficient in most cases) then a full blown IPSec using certificates.
One linitation I think we ran into is a praticle limit of about 5 or 6 conections at the same time. On ours, It would either drop conections to allow more then that
Re:One word: PIX (Score:2)
PS, i'm not allowed to mess with this server other then reading logs (wich didn't show any related to the connection problem), It is under warenty and the BossMan says they are going to use
Re:One word: PIX (Score:2)
Re:One word: PIX (Score:2, Informative)
Maintenance is especcaly irritating when it comes to the Cisco VPN client, you cannot obtain a legitimate copy from the Cisco website, without a maintenence agreement. And there are fairly frequent updates.
Re:One word: PIX (Score:2)
I have determined that Watchguard apparently charges 30% for the annual maintenance and software rights - so while it might be cheaper upfront, the costs add up. Cisco's contract is in the high teens annually.
Netscreen will charge you the current years maintenance, and all the back years' if you want to get an old/user netscreen's service reinstated.
I know cisco sells a one time upgrade SKU, if you just want to upgrade the firmware on your hardware (I am not sure if it is avai
Re:One word: PIX (Score:3, Informative)
Oh, and to answer the cross-platform question, there are VPN clients for Windows, Solaris, Linux and Mac OS X.
Try Hamachi. (Score:3, Informative)
However, the cable ISP is Comcast. Comcast, in this area, seems to throttle or stop anything besides HTTP traffic.
Other Issues: Hamachi setup time. Insecurity. (Score:3, Informative)
Hamachi setup: The setup time for Hamachi is exactly what they say: A few minutes. The interface is a bit quirky, and the documentaton is limited.
Anyone using Hamachi may want to run it as a service; see this explanation from Cyberonica [cyberonica.com].
Insecurity: Hamachi uses a very sensible technique for getting around firewalls and NAT. So does Skype VOIP [skype.com]. Of course, that means firewalls and NAT are not really protecting us.
In no way am I saying that Hamachi itself is insecure. I don't think t
OpenVPN requires you to have access to the router. (Score:3, Informative)
Hamachi works when you don't have access to the router. In some cases in which the router in administered by someone who won't give you access, Hamachi can work where OpenVPN won't.
Openvpn (Score:4, Informative)
OpenVPN behind a NAT? (Score:2)
Anyone have experience?
More about OpenVPN behind a NAT firewall. (Score:2)
As you can see, there are very few documents that mention NAT firewalls.
In some ways OpenVPN appears to be a typical Open Source project. Documentation is often more work than writing the program, and most Open Source developers don't want to do the documentation, and don't want anyone else to do it, because of perceived loss of credit.
Re:More about OpenVPN behind a NAT firewall. (Score:3, Insightful)
Re:More about OpenVPN behind a NAT firewall. (Score:2)
Open source stopped being about
Re:OpenVPN behind a NAT? (Score:4, Informative)
It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.
If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.
A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.
In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.
Re:OpenVPN behind a NAT? (Score:1)
Can OpenVPN make a connection w/o outside address? (Score:2)
I don't see anything on the OpenVPN web site about this.
One side of our system is behind a NAT with an Internet address. The other side is at an international airport, and we don't have control over the Internet arrangements there. We can only connect to their firewall.
Re:OpenVPN behind a NAT? (Score:3, Informative)
Re:OpenVPN behind a NAT? (Score:3, Informative)
Re:OpenVPN behind a NAT? (Score:2)
[home] -(openvpn1)-> [my company network server] -(NAT on openvpn2)-> [client's network].
works perfect, and setup was extra easy on a gentoo server.
check out the howto [openvpn.net], especially the quickstart guide to get an idea of how it works.
I'm using it alongside Shorewall (in each vpn conf I assign a particular tun device, which I can refer to in the shorewall conf.. this makes traffic rules configuration as trivial as some
IPCOP (Score:3, Informative)
Re:IPCOP (Score:2)
For offices ranging from 5-35 employees, I use old 200-400MHz Dell desktops with ~128MB RAM and 4-8GB hard drives as the IPCop routers.
Re: IPCOP -- I Second That (Score:5, Informative)
the OpenVPN addon, it makes a sweet RoadWarrior
setup. The OpenVPN GUI is even easy enough for
our executives to use.
For us and our 30-something employees, it cost
us nothing to put IPCop online. It ran for a
year on a P-III/700mHz/256M Dell. We recently
upgraded the RAM to 768M so we could make better
use of the Squid cache.
You can get an IPCop server online with VPN in
under an hour. As long as you have a computer
in the spare parts closet, IPCop is far less
expensive than any other solution.
Matt
Re:IPCOP (Score:2)
You can use the built in FreeSWAN VPN features to establish ne
PPTP (Score:2)
Sure there are superior systems but they dont necessarily 'fit' into the small business wintel setup. If youre running an all Linux network, you wouldnt be asking this question and you sure as hell wouldnt look around for commercial offerings.
If your users are OK with typing in an extra password, use OpenBSD's own SSH or ipsec based VPN, and L2TP on the client wi
Re:PPTP (Score:1)
Re:PPTP (Score:1)
They are extremely easy to configure, and with RADIUS support, you can authenticate users off of a Windows Domain, Novell eDirectory, or a Unix system, whatever.
The SSL card should not be totally necessary, depending on how many users, and the smaller onces are quite affordable.
I came into a company that had an outsourced VPN solution that was generating some 20 calls a day to their help desk. The extremely sad fact of the matter
Re:PPTP (Score:1)
Cisco VPN 3000 (Score:5, Informative)
If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.
Re:Cisco VPN 3000 (Score:2, Interesting)
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:1)
No problem at all accessing the internet with just that.
However, when I use Cisco's VPN client, it'll connect/etc no problem, but when the javascript attempts to send a heart beat, it fails because Cisco's VPN client diverts all traffic over the VPN.
I've seen other places that use a
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:2, Interesting)
Re:Cisco VPN 3000 (Score:2)
I liked the 3030 a lot. We told the Mac OS 9 users to pound sand, but we did have some people using the
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:1)
Re:Cisco VPN 3000 (Score:2)
DIY VPN (Score:4, Informative)
Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:
http://mcarpenter.free.fr/Dev/pptp.php [mcarpenter.free.fr]
All works fairly well.
Re:DIY VPN (Score:1)
Re:DIY VPN (Score:2)
Poptop (Score:4, Informative)
Re:Poptop (Score:2)
OpenVPN looks to be about the only really good choice at the free level. If I'm wrong, I'd love to know about it, though.
Windows Server 2003? (Score:1, Informative)
http://blog.hishamrana.com/2006/04/07/how-to-wind
OpenVPN (Score:5, Informative)
(However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)
If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.
Re:OpenVPN (Score:3, Informative)
The one and only 'gotcha' I found, is in situations where PTMU isn't working right and you are using compression on the tunnel packets. The MTU of the tunnel thinks it's 1500, but it should really be 1500 less the tunnel overhead. A ping shows that a 1500 byte packet gets though, but only because it's easily compressible data. When you start moving actual data around suddenly connections hang for no readily obvious reason. It coul
OpenVPN rawks the Casbah (Score:5, Insightful)
I really like OpenVPN [openvpn.net]. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to [openvpn.net]. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws [schneier.com]. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel [sites.inka.de] and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea [sites.inka.de].
I'm using OpenVPN to tie routers running OpenWRT (Linux) [openwrt.org], routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.
Re:OpenVPN rawks the Casbah (Score:2, Interesting)
OpenVPN puts all of this in a config file even on windows. Distribute the config and installation package and you're done. Need more security? Distribute the key files as well.
Re:OpenVPN rawks the Casbah (Score:2)
Re:OpenVPN rawks the Casbah (Score:2)
Looking at their own safenet branded vpns -
The windows client crashes when you send certain ipv6 traffic to it's mac address (it locks up solid, you have to power cycle)
The linux client requires redhat 9 with it's default (no patches for the local kernel vulns discovered in 2003) kernel and a particular version of sun's jre (which is no longer available from sun's site due to being so old), and even then still doesn't work properly.
The solaris client only works
Re:OpenVPN rawks the Casbah (Score:2, Informative)
Microsoft released a patch/upgrade (DUN 1.3) for Windows 95, Windows 98 and Windows NT 3.51 which Schneier agreed [schneier.com] fixed most of the problems.
My Experience (Score:3, Informative)
I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.
You might be an idiot... (Score:2)
Re:My Experience (Score:2)
Re:My Experience (Score:2)
Re:My Experience (Score:2)
Re:My Experience (Score:2)
Re:My Experience (Score:5, Informative)
http://www.itsatechworld.com/2006/01/29/how-to-co
That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.
MOD PARENT UP (Score:1)
For those who say that OpenVPN's guide is straightforward either have years of networking experience behind them, or simply haven't tried to set up OpenVPN with it. (That is, at least on Windows)
Astaro (Score:3, Interesting)
Did I mention I have become a huge fan? or was it already obvious?
not enough info (Score:1)
still, OpenVPN can do it all, so I vote for that.
*shrug* (Score:3, Informative)
Small company? Then either openswan or PPTP on a commodity server. No need to take sledgehammers to a cockroach.
Re:*shrug* (Score:2)
I usually don't cry dupe, but.... (Score:2)
http://slashdot.org/comments.pl?sid=182998&cid=15
I know, I know, that one said "distributed". Sheesh. My answer remains the same. OpenVPN, like 90% of the answers here.
I'm not being cynical. I'm just tired.
M$oft. (Score:4, Funny)
HEY I'm just providing an alternative.
Re:M$oft. (Score:1, Insightful)
Besides, the client is already included with WinXP...
I use a Netscreen25 and Netgear ProSafe FVL328 (Score:2, Informative)
I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 [netscreen.com] in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not ab
Hamachi (Score:2)
Or if you like to stuff around, OpenVPN.
Bah Hamachi! (Score:1)
Linksys has some good products... (Score:1)
http://www.netgear.com/products/business/prod_vpnr outer_wired_security_sb.php [netgear.com]
http://www.linksys.com/servlet/Satellite?c=L_Produ ct_C1&childpagename=US [linksys.com]
Re:Linksys has some good products... (Score:1)
Dude, there is a reason why they're inexpensive. If you stick to exactly the same model with the same firmware version at each site, you might be OK as long as you don't do anything too strenuous with it. Or expect it to work the majority of the time.
If this is something you're doing at home then fine. If you're proposing to implement a corporate VPN with consumer rou
repost (Score:1)
m0n0wall (Score:1, Informative)
For cheap try SSL Explorer (Score:1)
LW
Is it just me... (Score:2)
IPCop works (Score:2)
Not enough information (Score:2)
A main office with several small satellite offices (or small retail stores) I would suggest SonicWall product. (or NetScreen) Small remote offices can use the small single point VPN TZ series devices that allows a single site-to-site VPN and the main office can use a larger product like the 2040 or the 5060 with support I beleive 50 and 2000 VPN sessions respectively. (with s
IPCop + OpenVPN (Score:2)
Free, it works great under both Windows and Linux, and you don't need to be a computer whiz to setup your laptop to connect to it. Good stuff.
Home office users, NATs, and multiple users (Score:3, Insightful)
Where things fall apart is that you have multiple laptop users who are behind their own NAT routers at their homes. You need to use VPN software on the laptops (not on the NAT routers) because you only want their work machines connecting in. That's easy enough, until you run into a situation where you have 2 or 3 users who get together and collaborate frequently behind a single NAT router.
It seems like PPTP (maybe SSL?) was better suited for situations where you might have multiple users VPN'ing in from the same source IP address (hidden behind a NAT router, such as an ad-hoc meeting in someone's house or multiple users meeting in a coffee shop). All of my readings on IPSec indicated that IPSec can't handle that particular usage style.
snapgears! (Score:4, Interesting)
We had 530s in each of the hub offices and a 575 in the main office. (Still have the 575, have since closed all the branches) I still have the 530s and I refuse to sell them because they are such nice little boxes. I'm going to take one home and make it vpn back to here.
Site to Site + Remote Access (Score:1)
I have been struggling with this for a month!! (Score:1)
As I see it I have three problems. 1. The IP address will be dynamic from the ISP's and 2. Most of the PC's are running Win XP home 3. Would prefer a no cost solution
I would like to be able to remote desktop (ie contral/access) any pc from any location.
I have successfully installed http://hamachi.cc/ [hamachi.cc] Hamachi to address the dynamic IP issue but am working on the XP
racoon ISAKMP daemon (Score:3, Informative)
At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).
We also have a third concentrator which is configured to use Xauth and
It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).
pfSense (Score:1)
Running it now on Soekris Net-4801 device http://soekris.com/ [soekris.com]. Sweet. Smooth.
You can also look at Sonicwall (Score:1)
Mac OS X Server (Score:2)
Of course, you need a Macintosh to run it. I would suggest a Xserve G5. They're very nice. But any 'ol Power Mac or Dual Core will do...
How small? (Score:3, Informative)
Get a WRT54G. Run DD-WRT. Use either the PPTP server or OpenVPN.
Done and done.
Of course, your WRT54G won't handle more than 10 users or so; you'll want to switch to a dedicated box or router for that. But you can't beat it in terms of cost/avaliability-- you can get this sucker up and running in 5 minutes flat, pick one up from bestbuy for ~$50, and there are no moving parts whatsoever.
For a very small office, its great. For a series of small offices in a larger company, its okay too. We use this sort of segmented VPN in our offices because of bandwidth reasons; we don't have enough uplink at any given location to really setup a better solution, and we can't financially justify purchasing more than 1 Mbit/s of uplink anywhere.
pfSense (Score:2)
It's FreeBSD 6.1+OpenBSD's pf + ALQ-Traffic-Shaper+IPSEC+PPTP + CARP + lot's more stuff all wrapped into an easy to understand interface.
Forget about all the other firewall "GUIs" (or lame attempts at GUIs) you've seen before, especially for the unreadable, ever-changing Linux-firewall engines.
pfSense has the performance, the feature-set, the reliability and the usability to be a real Checkpoint- and Netscreen-killer.
One quote from the mailing-list says it
Citrix Access Gateway (Score:3, Interesting)
The 1st iteration was not so good because they rushed the rebranding and integration stuff. The 2nd and 3rd iterations were OK.
The latest revision is quite good. It supports around 2000 concurrent users, has easy to use yet powerful access controls and integrates nicely with Citrix's Presentation Server 4 product.
The cost is pretty good: the box is $2500 and licenses retail for around $100/concurrent user. If you have 100 users and your highest expected concurrent remote access count is 25, your cost would be $2500 + 25 x 100 = $5,000. If you buy 2 boxes (they have a built-in failover mechanism for redundancy), the cost would be $7500.
I work for a major healthcare provider and we're replacing Cisco VPN concentrators with the CAG. We bought 4 CAGs and are using Citrix's Advanced Access Control (AAC) product to integrate the CAGs with our internal portals (AAC makes the cost go up pretty high, though). We have around 40,000 users and our max concurrent remote users is currently around 4,000.
Check it out: http://www.citrix.com/English/ps2/products/produc
And no, I'm not the CEO of Citrix in disguise. I just believe in their products; we've saved a ton of $$$ using them!
Re:Citrix Access Gateway (Score:2)
Looks like a good deal for the 50 user office, though I don't know any more about it than what I found with teh Google.