Please answer a couple NT Domain/VPN/remote client access questions

[Al Dykes]

As I understand it I can enable pptp forwarding on the VPN-aware
router/firewall combo that connects us to our ISP, turn on PPTP server
on the W2K server, then at-home w2k/XP systems and join the NT domain.
It looks like just about every router model can to this today.

Right ?

If I add other NT servers to the company Active Directory domain will
the PPTP connection described above make them all available to remote
users.

Suggest an entry-level router/firewall product combo that can
terminate an IPSEC tunnel and allow seamless access at the IP level to
the entire inside LAN. The client would have a VPN client like
Greenbow (www.greenbow.com)

I see that my old Linksys BEFSR41 has PPTP and IPsec passthru settings.
What do the new models with a "V" in the model # do differently ?

I need a solution for our 100 person company where we will have two
concurrent VPN users, tops, and am trying to reduce my textbook
reading about VPN tunnels to a short list of approriate products that
I can pick from. The small headcount makes big-bucks solutions
unjustifiable.

The company will use NAT addresses and some of the at-home users will
also be NAT'ed, so any solution has to work over a NAT-NAT connection,

Sorry for the general questions, thanks for your attention.

 

[Chris Knapp]

first off, PPTP & IPSEC are 2 different solutions that make connections at
different levels on the OSI model.

PPTP is much easier to implement for the newbie than IPSEC. Win2K's RRAS
does PPTP (as well as L2TP.)
Install RRAS, authorize it into AD, allow remote access to the users under
ADUC, and your usually good to go. The linksys BEF series will pass through
the PPTP traffic so that you can forward port 1723 (I think) it to a private
IP inside your LAN. If you have the linksys do port forwarding on only that
port to your RRAS server then you won't need to mess with the windows
security settings recommended in RRAS help (it assumes your RRAS server is
on a public IP).

IPSEC can be handled directly by 2 IPSEC capable devices/clients. Win2K can
be an IPSEC endpoint. You could theoretically have 2 win2k servers act as
end points for each other and traffic would pass between their networks as
if they were local. Much configuration involved and 1 mistake can leave you
scratching your head.

Linksys VPN routers (among others) can act as an IPSEC endpoint too. Very
easy to configure too. Just make sure you know your subnets and public IP
information. Once the IPSEC tunnel is up between the 2 VPN routers, then you
can have the remote clients login to the host domain or you can have 2
separate domains now connect to each other and start a Trust.

On a side note, Cisco's PIX series uses a hardware device as 1 end point
(the PIX) and a software client (Cisco's VPN client) as the other end point.
This allows IPSEC tunnels to be created on endpoint that move around and
don't have static IP addresses. Unfortunately, the PIX solution will cost
you around $3K or so.

 

[Helpful]

A cheap, effective solution is the Linksys BEFVP41 (http://www.linksys.com)
(about $100). It has a coprocessor for the VPN and supports up to 70
tunnels at the same time. Greenbow should work with it as will SSH,
Watchguard's VPN software client, and perhaps the Cisco client. Even the
Windows VPN client. You may also want to look at the Cisco Router 800
series and Symantec 200R.

Instead of using the router's hardware VPN for remote clients, you could
pass the PPTP VPN through and give your remote users the same access they
would have logging on locally to that W2K server. This class of router does
not seem to support multisubdomain routing via the hardware VPN in the
router so only the local LAN is accessible. That may meet your needs.
These routers should work NAT to NAT and connect fine to the local LAN, just
make sure the subdomains are different.

Other alternatives are the Zywall 10 II and the SonicWall tele3
SP. I like the Symantec/Nexland 100, 200, and 200R for features. 3Com
Router 3012
($600) looks interesting, but it was unclear to me that it provided gateway
to gateway VPN. 3Com OfficeConnect ($300) provides VPN, but no dialup
backup. The
Mulitech RF560 ($229) http://www.multitech.com/PRODUCTS/Families/SOHO_VPN/
looks good, but only 1.5 Mbps on VPN and 10 tunnels.
Cisco 831 ($450) looks best of all
http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet09186a008010e5c5.html .


Linksys (no dialup backup), 3Com (nice, but could not find dialup with VPN),
SMC (no
dialup), D-Link (no dialup with VPN), Netgear (no dialup with VPN), and
Watchguard (no dialup with VPN). You may not care about dialup backup.
Many of these and other routers provide dual Ethernet ports for backup and
load balancing.

Good luck.