#243079 - 02/12/2004 19:35
VPN Help
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
I've never set up a VPN from scratch before and I'm wondering how I should go about it. Anyone have experience with this sort of thing?
Here's the scenario:
- Office LAN at a small real estate office.
- Office is connected to the internet via DSL router that has a built-in NAT/Firewall.
- Router does not have VPN built in to the hardware. It does allow me to put in port forwarding (I think that's what they call "pinholes" in the router's menu).
- Office runs all Windows systems.
- Office has a server that's running Windows 2003 Server.
- A select few people, all NATed broadband at home, need to get into the office LAN remotely, in order to run a certain piece of client/server software and also for me to get in and remotely manage the server.
I see a few ways I can go about this:
1. I can make the server a DMZ. **NOT**. Windows is too unsecure to expose out from behind a firewall like that.
2. I can port-forward the VPN requests through the router to the 2003 server, and activate/configure RRAS on that server.
3. I can replace the office router with one that has VPN built-in.
Never having done this before, my questions are...
If I do option 2, is it only one port that needs to get forwarded, and do I only need to do that on the office's router? Or do I need to do tricky stuff on the client side too?
If I do option 3, will the clients need hardware too, or can they just use the VPN client software that comes with windows?
Anyone have any other tips?
|
Top
|
|
|
|
#243080 - 02/12/2004 20:00
Re: VPN Help
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
All routers must support VPN passthrough at the least. The majority of recent routers do. If they don't then you cannot use 'AH' (authentication headers) as the NAT causes mismatches in the IP addresses. Not using AH renders your encrypted packets susceptible to man in the middle and spoofing attacks.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#243081 - 02/12/2004 20:13
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Without thinking about it too hard, I'd choose super-secret option #4: put a VPN endpoint box in a DMZ. Then have the remote clients use software VPN endpoints to connect to it.
You should be able to find a turnkey solution for this. Not sure how much you want to spend. You could also install something yourself, likely for free plus a lot of time.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243082 - 02/12/2004 20:30
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: put a VPN endpoint box in a DMZ
Oooo cool idea.
Anyone got any suggestions for this solution? Dunno how much the "client" is willing to spend until she sees some prices.
|
Top
|
|
|
|
#243083 - 02/12/2004 20:31
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
We use the Nortel Contivity here. No idea of the price.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243084 - 02/12/2004 20:35
Re: VPN Help
[Re: genixia]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: All routers must support VPN passthrough at the least.
The box in question, a Netopia Cayman Series 3000, says that is supports IPSec Passthrough for VPNs by default and that no special configuration should be needed.
How can this work if everyone behind it is NATed?
Like I said, I've never worked with VPN before and don't know what to expect.
|
Top
|
|
|
|
#243085 - 02/12/2004 20:46
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Hm. I can get a Linksys BEFSR41 on the cheap, and says it'll do VPN endpoint for me.
Anyone got any feeling for whether it's gonna be any more secure than simply running the Windows Server 2003's VPN endpoint?
And by "secure", I mean, which is less likely to have some kind of buffer overflow exploit discovered and not patched in time.
|
Top
|
|
|
|
#243086 - 02/12/2004 20:47
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I think that genixia was referring to the possible routers people might have on the client side. If you go the VPN-endpoint-in-DMZ route, then it's not an issue on your side. But if your firewall supports it, you could not bother with a DMZ and just put the VPN endpoint in your normal network, which is probably more secure. http://vpn.ebootis.de/ is a free solution that ought to work, but will take much longer to set up, and probably be a little flakier. I'm sure that there are other similar solutions out there.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243088 - 02/12/2004 21:42
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: I think that genixia was referring to the possible routers people might have on the client side.
Okay, let me rephrase the question then.
Let's say that my DSL router/firewall supports IPSec passthough but it's not a VPN endpoint.
Let's say that I have a VPN endpoint (whether it's a dedicated box, or VPN server software running on a PC) inside that firewall. Let's say its internal address is 192.168.0.39.
My question is: In that configuration, does the router's magical "IPSec passthrough" feature also handle forwarding external VPN traffic to that 192.168.0.39 address? Or must the VPN endpoint have a publicly-visible IP address before it can work?
In other words, am I overthinking this and all I REALLY need to do is activate the RRAS feature in windows 2003 and I'm done?
|
Top
|
|
|
|
#243089 - 02/12/2004 22:14
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Possibly. I don't know the technicals behind RRAS -- what protocols it uses, etc. But possibly. Worth trying.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243090 - 02/12/2004 22:22
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Some googling seems to indicate (not certain) that it won't work with IPsec over NAT, but if the software falls back to PPTP (which is a little bit less secure), then it will work.
|
Top
|
|
|
|
#243091 - 02/12/2004 22:44
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
The reason that it may not work is probably what genixia described. Try it anyway.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243092 - 02/12/2004 23:21
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Ah, here we go: Quote: NAT-T and Firewall Rules Because the new NAT-T code is designed around the IETF RFC 3193 and draft-02 of the IETF NAT-T specification, for these services to run through a firewall, you may have to open the following ports and protocols in the firewall rules: • L2TP - User Datagram Protocol (UDP) 500, UDP 1701 • NAT-T - UDP 4500 • ESP - Internet Protocol (IP) protocol 50
Supported Scenarios Using NAT-T The following scenarios will successfully allow L2TP/IPSec NAT-T connections. In these scenarios, Client is a client that is running Windows 2000 and that has the 818043 update installed or is a Windows XP-based computer with SP2 installed. Server is an L2TP/IPSec server that is running Windows Server 2003 and that is using Routing and Remote Access. In the first scenario, for example, Client is behind a NAT router; the connection goes through the Internet and connects to Server. In the second scenario, Server is behind another NAT router. Client----> NAT ----Internet---->Server Client---->Internet---- NAT ---->Server Client----> NAT ----Internet----> NAT ----> Server In these scenarios, where an L2TP/RRAS server is behind a NAT router, the NAT router must open the required ports and protocols for L2TP/IPSec NAT-T connections. The L2TP/IPSec server may also be a third-party gateway product that supports NAT-T connections.
Note If you apply the 818043 update to a Windows 2000-based server that is using Routing and Remote Access, the server cannot function as an L2TP/IPSec server in these scenarios. It cannot allow connections from L2TP/IPSec clients when one or more NAT routers is involved. This update is a client-side update only. Server-side NAT-T functionality is a new feature in Windows Server 2003 Routing and Remote Access only. NAT-T server-side support will not be added to Windows 2000 Routing and Remote Access.
So I wonder how unsecure things will be if I pinhole those ports?
|
Top
|
|
|
|
#243093 - 03/12/2004 00:13
Re: VPN Help
[Re: tfabris]
|
member
Registered: 12/08/2001
Posts: 175
Loc: Atlanta
|
Quote: - A select few people, all NATed broadband at home, need to get into the office LAN remotely, in order to run a certain piece of client/server software and also for me to get in and remotely manage the server.
How about putting terminal services on the server and let people remote into the server to run apps?
|
Top
|
|
|
|
#243094 - 03/12/2004 16:03
Re: VPN Help
[Re: Folsom]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: How about putting terminal services on the server and let people remote into the server to run apps?
Not an option for this particular situation. Plus, I don't want to expose terminal services to the internet on this server, I don't trust its security yet.
|
Top
|
|
|
|
#243095 - 03/12/2004 17:20
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
|
I wise decision I think. I too keep my Terminal Services port locked down. If I need to use it remotely I ssh into my Linux box and punch a hole in the firewall for the specific address I am using at the time (I never remember to remove them though, so there are dozens of port 3389 rules hanging around ).
_________________________
Remind me to change my signature to something more interesting someday
|
Top
|
|
|
|
#243096 - 03/12/2004 17:28
Re: VPN Help
[Re: andy]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
I've put a pinhole in the firewall at 3389 today just so I can mess with configuring the server, but I intend to lock that back down when I get VPN working.
|
Top
|
|
|
|
#243097 - 03/12/2004 18:23
Re: VPN Help
[Re: tfabris]
|
member
Registered: 12/08/2001
Posts: 175
Loc: Atlanta
|
You could make it a little safer by changing the public port to a different port than 3389. I do that so I can get to my home network from work, and work blocks out 3389.
|
Top
|
|
|
|
#243098 - 03/12/2004 19:10
Re: VPN Help
[Re: Folsom]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: You could make it a little safer by changing the public port to a different port than 3389.
I thought of that, but I don't see anywhere in the Terminal Services client software to spec a port other than 3389.
|
Top
|
|
|
|
#243099 - 04/12/2004 05:39
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 28/04/2002
Posts: 770
Loc: Los Angeles, CA
|
just add a <hostname>:<port>, i.e. www.microsoft.com:33389
|
Top
|
|
|
|
#243100 - 04/12/2004 06:41
Re: VPN Help
[Re: image]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Oh cool, thanks. Well, at this point I don't need that any more since my VPN seems to be working.
I had to pinhole TCP port 1723 because that's the PPTP connection port. And then for some reason or other, I had to go into the router's configuration and set a pinhole for "Protocol: PPTP" but it didn't seem to matter what port number I set that to. I didn't realize that PPTP was a "protocol" like TCP or UDP is. Not exactly sure what the router is doing in that case.
Anyway, it works now but I've got the nagging doubt that somehow the Windows VPN server isn't the most secure thing in the world and that someone out there might be able to gain access to the server via VPN.
I've got a couple of bugs I need to work out, too... For instance, name services don't seem to work, I can't locate the server by name after I've VPN'd into it. Also, I can't seem to get two VPN tunnels working from my house at the same time. Maybe it's because we're both behind a NAT layer here.
|
Top
|
|
|
|
#243101 - 04/12/2004 13:37
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 25/08/2000
Posts: 2413
Loc: NH USA
|
Tony, While the topology of my VPN setup is totally different from yours (Sonicwall Firewall w/VPN as the terminating point for the tunnel and Sonicwall client software on the remote end), I also cannot resolve names across the VPN link. If I want to use a share inside the firewalled network I have to map the share as \\###.###.###.###\sharename .
-Zeke
_________________________
WWFSMD?
|
Top
|
|
|
|
#243102 - 04/12/2004 14:53
Re: VPN Help
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
Yeah, PPTP isn't known for its strength, but it's better than nothing. And yes, it does use another protocol on top of IP. IPsec also does this with protocol 50. The way that many consumer 'routers' deal with NAT and VPNs prevent more than one tunnel from being open at a time - since packets from the VPN server are encrypted it is not easily possible to determine which of the local hosts they are intended for. The easiest solution is for the router to allocate the entire VPN functionality to the first host that asks for it, typically by watching tcp/1723 (or tcp/500 for IPsec). Some newer routers can apparently allow multiple hosts to open tunnels - I'm not sure how they do this. I'm a bit out of the loop on all this now.
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#243103 - 04/12/2004 15:57
Re: VPN Help
[Re: genixia]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: The way that many consumer 'routers' deal with NAT and VPNs prevent more than one tunnel from being open at a time
Aha. This is critical information. I'd like to find out more about it, since the plan is to eventually run many VPNs to this server. If it can't be done through this router, then a dedicated endpoint which CAN do this is much more desirable.
|
Top
|
|
|
|
#243104 - 04/12/2004 15:58
Re: VPN Help
[Re: Ezekiel]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: I also cannot resolve names across the VPN link.
This is good to know that I'm not alone, thanks. That means there's likely someone out there who has a solution.
|
Top
|
|
|
|
#243105 - 04/12/2004 16:25
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 13/09/1999
Posts: 2401
Loc: Croatia
|
Try adding domain name of the network you are connecting to the configuration of your VPN connection. In XP: ['Network' tab]->[Properties button with TCP/IP selected]->[advanced]->[DNS tab]->[append these DNS suffixes] (or perhaps 'DNS suffix for this connection' - I have both ) We use some third-party SW router on Windows (I don't recall which), and have no problems establishing multiple PPTP connections, although we also use NAT. I don't know what the people we are connectiong to use as PPTP endpoint.
_________________________
Dragi "Bonzi" Raos
Q#5196
MkII #080000376, 18GB green
MkIIa #040103247, 60GB blue
|
Top
|
|
|
|
#243106 - 04/12/2004 18:47
Re: VPN Help
[Re: bonzi]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: Try adding domain name of the network you are connecting to the configuration of your VPN connection.
Thanks for that suggestion, that's a good idea. Didn't work, but it was worth a try.
|
Top
|
|
|
|
#243108 - 04/12/2004 20:00
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 28/04/2002
Posts: 770
Loc: Los Angeles, CA
|
if you have a WINS server still, setup the vpn connection to use that.
|
Top
|
|
|
|
#243109 - 04/12/2004 21:47
Re: VPN Help
[Re: image]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: if you have a WINS server still, setup the vpn connection to use that.
That's a good idea, too. I tried that, too, didn't work either.
|
Top
|
|
|
|
#243110 - 05/12/2004 17:07
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Answer to name resolution issue appears to be this. Since we may not be sticking with this VPN method at all (we might do the VPN endpoint box in a DMZ instead, meaning we'd be using L2TP instead of PPTP), I might not need to try the solutions listed in that article. But it's good to have that article handy for now.
|
Top
|
|
|
|
#243111 - 07/12/2004 18:54
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Okay, I'm seriously looking at doing Bitt's "super secret option 4" and putting a VPN endpoint on a DMZ or a port-forward in the network. I'm having trouble locating a proper box that will do the trick. It's hard to tell which ones, from their descriptions, are genuine VPN endpoints and not just tunnel-supporters. For example, I'm looking at this one, and its online PDF manual has instructions for setting it up to connect *to* a vpn, but not how to set it up as a vpn *server*. Although there is an illustration in the manual that shows it as being a VPN server, I think, unless they were oversimplifying it and it was meant to be a picture of the thing acting as a passthrough. Sigh. Anyone have any tips on how to find the proper box?
|
Top
|
|
|
|
#243112 - 07/12/2004 20:51
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Actually, that looks like it will do a VPN tunnel between two of those units. That is, put one in your corporate office and another in your branch office and it'll set up a VPN between those two offices so that data going between them is encrypted. I'd guess that it won't do a computer-to-BEFVP41 connection, or, at best, would do only one.
It'd be a great solution if you just needed two offices connected together, but you need road warriors to connect, too. I'll take a look in a minute. I assume you want it to be as cheap as possible.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243113 - 07/12/2004 21:01
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
The Linksys RV016 looks right. Newegg has it for $382.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243114 - 07/12/2004 21:10
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Yeah, that sounds like the right box. Slightly overkill, such as having the redundant WAN ports. The RV042 seems to be the same thing but with fewer ports and much less expensive. I'll look along those lines, thanks!
|
Top
|
|
|
|
#243115 - 07/12/2004 21:13
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Hm. Thought I had my Newegg set up to order by price, that was on the top of the list, and it worked, so I thought it would be the best. Turns out my sorting was not correct.
I'll see if I can find a cheaper one.
Note that some of them want to sell you VPN client software/licenses separately. Take that into consideration when looking at prices. It's also possible that you wouldn't really need their software with XP, since it has IPSec built in, but you also might. Who knows?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243116 - 07/12/2004 21:17
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Ooo. I just found Tom's Networking which says the BEFVP41 I was looking at is a VPN endpoint. For that matter, the BEFSX41 is an endpoint, too, and it is incredibly cheap because it drops the VPN coprocessor. I'm going to spend some more time reading Tom's Networking.
|
Top
|
|
|
|
#243117 - 07/12/2004 21:21
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
How about the TrendNet TW100-BRV204? $46 at Newegg and supports up to 10 IPSec connections.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243118 - 07/12/2004 21:26
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: I just found Tom's Networking which says the BEFVP41 I was looking at is a VPN endpoint.
Yes, it is. But how many tunnels does it support? My guess: one.
Edit: Hmm. Tom's says 70. I'm surprised.
Edited by wfaulk (07/12/2004 21:28)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243119 - 08/12/2004 09:39
Re: VPN Help
[Re: tfabris]
|
member
Registered: 03/02/2002
Posts: 101
Loc: Sweden
|
If you have an old computer, you could replace the firewall-gateway with an simple firewall distribution based on linux or *bsd with web-based configuration. I've tried ipcop with great success, but it has some limitations (cant block internal access to internet without manual iptables-rules. m0n0wall on the other hand can do pptp, ipsec, openvpn, very good filtering rules etc. But is a little harder to get up in 2mins... Links: http://www.ipcop.org/http://m0n0.ch/wall/I have a ipcop firewall/vpn solution up for a customer and has been running for a couple of years without any problems. /Fredrik
|
Top
|
|
|
|
#243120 - 17/12/2004 04:57
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Anything that runs Linux will do nicely. OpenVPN is a nice multi-platform free package with fairly good security to run on top of Linux.
-ml
|
Top
|
|
|
|
#243121 - 17/12/2004 20:59
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Argh. I've got the BEFVP41 but it seems to be a problem to set up.
I'm trying to follow this article, which I can't get to work but even if I could, it seems to require that I press the "Connect" button in the router's config screen, which of course is unworkable in a VPN setup where it's the server.
I'm trying to get an answer out of Linksys on the phone, but I'm talking to Bangalore or something, so it's hard enough just to get across what I want to do, let alone get them to find a solution.
|
Top
|
|
|
|
#243122 - 17/12/2004 23:17
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Okay, the BEFVP41 is going back in the box and back where it came from.
According to their tech support, they don't support it being an endpoint/server for PC clients. When that Knowledgebase article didn't work, they said they can offer no more support and that I should call Microsoft.
I will check out that other 10-tunnel unit listed earlier in this thread, but does anyone have any other suggestions?
Basically, I just want to have a handful of real estate agents with laptops, who, when connected to the internet, can click on the "My Network Places" and hit the "VPN to home office" icon, enter a user name and password and that will connect to <mythical box I want to buy> which sits on a DMZ on our LAN and lets them in to the rest of our LAN.
I appreciate the suggestions of Linux distros that will do what I want, but I need it to be a prebuilt box rather than a PC. I don't want to mess with installing linux on a computer, taking two weeks to learnin how to set it up, and then having no support number to call if it doesn't work. (Not that the Linksys support did me any good, but you know what I'm saying).
|
Top
|
|
|
|
#243123 - 18/12/2004 00:48
Re: VPN Help
[Re: tfabris]
|
Carpal Tunnel
Registered: 08/02/2002
Posts: 3411
|
How about something like this?
_________________________
Mk2a 60GB Blue. Serial 030102962
sig.mp3: File Format not Valid.
|
Top
|
|
|
|
#243124 - 18/12/2004 11:55
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14496
Loc: Canada
|
Quote: I don't want to mess with installing linux on a computer, taking two weeks to learnin how to set it up, and then having no support number to call if it doesn't work.
If you don't want to learn new tricks, then fine. But please drop that rubbish comment about no support number to call. Pleeeeaaaassseee!
You're brighter than that. Among the multitude of support numbers you can call are my own, RedHat, SuSe, thousands of other Linux consultancies, newsgroups, mailing lists, and .. god forbid .. the source code itself.
That's a totally bogus argument/myth. Your first point is somewhat more real.
Cheers
Edited by mlord (18/12/2004 11:56)
|
Top
|
|
|
|
#243125 - 18/12/2004 12:54
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 25/08/2000
Posts: 2413
Loc: NH USA
|
Have you looked at the units from Sonicwall? Not inexpensive, but easy to use & configure. I have a Soho Tele 3 that I use to support about 5 VPN users. The TZ170 series (.pdf datasheet) have a second port which can be used as a DMZ (I'm not quite clear if you're just looking for an end point or full Firewall/Endpoint combo, probably not reading your posts thoroughly). -Zeke
_________________________
WWFSMD?
|
Top
|
|
|
|
#243126 - 19/12/2004 15:32
Re: VPN Help
[Re: mlord]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: But please drop that rubbish comment about no support number to call. Pleeeeaaaassseee!
You're right. I apologize and take it back. Most user-support communities for Linux-related stuff are generally better than commercial tech support.
|
Top
|
|
|
|
#243127 - 19/12/2004 19:56
Re: VPN Help
[Re: Ezekiel]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I have SonicWall TZ170's and they'll do the trick. If you'd like to log into one and take a look at the admin software Tony, PM me and I'll send you a hostname, username and password so you can take a look.
The price isn't really that bad on them for what you get. I've been buying from this site for about $300 and have gotten good service.
_________________________
~ John
|
Top
|
|
|
|
#243128 - 19/12/2004 20:00
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
We use Sonicwall where I work as well. I've not actually had occasion to VPN into it, but other people do, and it works well.
In fact, a couple of the guys at the office have Draytek routers at home, for the other end of the tunnel.
_________________________
-- roger
|
Top
|
|
|
|
#243129 - 20/12/2004 13:16
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
We've been using Watchguard linux appliances for a couple years for firewalls and VPN tunnels. The price/performance is solid. They have a range of devices that I think would fit your needs. We have a few Firebox IIIs, medium duty, rackmount firewalls, and twentyish of the SOHO 6tcs - lighter duty, smaller firewalls which max out at 50 trusted IP address and 10 concurrent user VPN tunnels. Currently, we use the SOHOs in our smaller offices (typically up to 30 users) to create a tunnel back to our corporate office. They have a good user interface and provide good (albeit subscription) support and overnight replacements as needed. The Firebox came with 1 year of the subscription support; SOHOs with 3 months. In my experience, the Fireboxes almost never need a reboot. The SOHOs need a reboot every once in a while, but usually reboot themselves when needed. -jk
|
Top
|
|
|
|
#243130 - 20/12/2004 13:44
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
IME, SonicWalls have terrible default settings, making them a nightmare for someone who doesn't know exactly what he's doing. OTOH, they can be a useful, if frustrating, learning experience.
(It's amazing how many times I wanted to use some variation of "terrible" in this post. Take that as a recommendation.)
Edited by wfaulk (20/12/2004 13:46)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243131 - 13/04/2005 04:40
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Well, I just picked up a TZ170 (Since I couldn't get the power-supply-fried one from Meatballman to work) and I'm messing with it. I like its user interface, and even if the default settings might not be ideal, at least there is a large array of powerful settings, and what they're all set to is very clear. So for someone who knows what they're doing, that's a good thing.
Now. About the "knows what they're doing" part... I've never actually done this before. *gasp*
I'm trying to do the idea you suggested earlier in the thread: Making this sonicwall be purely a dedicated VPN enpoint sitting in a DMZ on the LAN.
I have a couple rather silly basic questions about how to do that, exactly. I wonder if anyone knows the answers to these questions.
The first question is physical connections:
My internet gateway has only a WAN port and a few LAN ports. (No dedicated DMZ port.) Its connections currently go like this:
ADSL Line -> internet gateway WAN port -> Gateway box -> Gateway LAN port -> the hub for the internal company LAN.
So when I plug this new VPN rounter in, do I run one cable from its WAN port into the hub, and also run one cable from one of its LAN ports into the same hub?
The second question is addressing:
I can set up the VPN router with a WAN address and a gateway on its WAN side. Let's say that my existing internet gateway has a public-facing WAN IP address of 69.125.107.154, and that my DSL provider gives us a pool of 5 static IP addresses and I want to use the next address in the pool, 69.125.107.155, as the DMZ address, having all traffic directed to that address get sent to the VPN router.
So do I tell the VPN router that its WAN address is 69.125.107.155 with a gateway of 69.125.107.154?
Or, since the VPN appliance is actually internal to the network, should those be set to *internal* addresses in the 192.168.x.x range?
|
Top
|
|
|
|
#243132 - 13/04/2005 10:41
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
For more info on this, ICQ me when you get in this morning.
_________________________
~ John
|
Top
|
|
|
|
#243133 - 13/04/2005 12:51
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
FWIW, since you now have one, the one thing I remember in specific being a problem was long-term TCP sessions. There's a setting that's a timeout for how long such sessions can last. I don't know that I understand the concept of this setting in general (I suppose to clear out queues from TCP sessions that got dropped on the floor instead of exiting normally or being abnormally terminated), but it's there, and the default is like 15 minutes or something. This will, apparently, kill any TCP session that's been open for 15 minutes, no matter if it's being used. Or maybe there's an idle thing. I don't quite remember, but I do remember it turning off legitimate TCP traffic. Anyway, the setting is there as a global setting, but the global setting doesn't actually affect anything. You have to set it in the connection-specific area.
This took a supposed expert I was dealing with over a week to figure out.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243134 - 13/04/2005 14:11
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
And I only figured it out with help from Bitt.
_________________________
~ John
|
Top
|
|
|
|
#243135 - 13/04/2005 14:15
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Clearly, I'm dealing with the right people to ask for help, then. ICQ'ed you, as ordered, not seeing a reply this morning...
|
Top
|
|
|
|
#243136 - 13/04/2005 14:27
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I was in and out of my office a good bit this morning.
Weird...Trillian doesn't even show you as being online. It won't log on to AOL today either. Let me download a different ICQ client.
_________________________
~ John
|
Top
|
|
|
|
#243137 - 13/04/2005 14:29
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I'd forgotten that I'd helped you with that. I've had that experience with, IIRC, at least two other people.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243138 - 14/04/2005 00:36
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Okay, next question.
This is a rather silly one. I should know the answer to this one.
When we buy a business DSL connection from SBC, they give us five static IP addresses. One of these addresses is what I desire to use for the DMZ.
But I don't understand what's on the SBC setup sheet. This is the piece of paper that the DSL installer technician filled out when installing the DSL line. There are two groups of addresses, arranged in two separate sections. It looks like this:
----------------------------------------------------
Customer's IP's or LAN IP's (For routers):
Static IP addresses:
64.197.129.33
64.197.129.34
64.197.129.35
64.197.129.36
64.197.129.37
Gateway:
64.197.129.38
Subnet Mask:
255.255.255.248
WAN Side (For routers):
IP Address:
69.125.107.154
Subnet Mask:
255.255.255.254
Gateway:
69.125.107.153
----------------------------------------------------
(IP addresses above deliberately changed in the interest of privacy, but it works for this example.)
Now here's the thing. The configuration screen of our DSL router is has the *second* set of numbers plugged into it, the 69.125.107.154 stuff. And I can connect to its port-mapping features from my home by going to 69.125.107.154. It works.
But I have no idea how those five static IP addresses relate to that. Is one of those static IP addresses somehow magically "synonymous" with the currently-working "69." address? Or do I have to throw out the current, working configuration and re-configure the DSL router with the first set of numbers if I want to use those static IPs?
Normally, I'd go into the existing setup screen of one of my working DSL routers that handles multiple static IPs at my job and investigate how those are set up. Somehow that isn't an option any more.
|
Top
|
|
|
|
#243139 - 14/04/2005 00:58
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Oh, and a follow up. In the second group of numbers, there's a subnet mask of ".254", which is what was written on the form by the DSL tech. But the router won't actually let me use that value. What was plugged into the router when they set it up was actually ".252" and that works. Interesting.
|
Top
|
|
|
|
#243140 - 14/04/2005 01:01
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: do I have to throw out the current, working configuration and re-configure the DSL router with the first set of numbers if I want to use those static IPs?
Tried this, and it didn't work, by the way.
So how AM I supposed to use those static IPs?
|
Top
|
|
|
|
#243141 - 14/04/2005 06:19
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 17/12/2000
Posts: 2665
Loc: Manteca, California
|
The static IP's give the machines that have them, a public presence on the WAN. They can be contacted directly, assuming there isn't something blocking the pipe. With static your don't need to mess around with nat or port forwarding, vpn routers, or anything. You can load ssh or vpn software directly onto the static addressed computers and let them contact the remote vpn device directly.
PS You might want to check your subnet masks carefully. They are what determine if a packet stays on the LAN or is passed to the WAN. Given the list of static addresses earlier the mask should have been 255.255.255.216 216 is 39 after it was converted to binary, had all the digits inverted and then converted back to decimal.
Hope someone else will correct this if wrong.
_________________________
Glenn
|
Top
|
|
|
|
#243142 - 14/04/2005 10:03
Re: VPN Help
[Re: gbeer]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Hm. When I plugged those numbers into the DSL router, the internet connection stopped working. I wonder how SBC expects me to use those numbers, then.
|
Top
|
|
|
|
#243143 - 14/04/2005 11:14
Re: VPN Help
[Re: tfabris]
|
enthusiast
Registered: 08/08/2000
Posts: 351
Loc: chicago
|
Tony,
By default, SBC delivers their routers set up with NAT enabled, which may not be what you want. It turns out to be easy to fix, but you can't do it through the administrative web interface on the box. You need to telnet in, and change settings that way. I called SBC, and they transferred me to a support guy from the router hardware vendor, who walked me through it. I'm not sure why they don't document this for business class customers, as it would seem that many of those would rather run in bridging mode.
--Dan.
|
Top
|
|
|
|
#243144 - 14/04/2005 11:18
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
From this IP chart, your provider wants the 64.125.107.154 on the outside interface, 64.197.129.38 on inside interface in a two devcie model (though it really shouldn't matter which of the 6 addresses you choose for your gateway - the whole subnet exists on the far side of the .107.154 address from the ISP's viewpoint - I prefer starting from the bottom), and the other 5 IP addresses on your various devices (with one presumably dedicated to your DMZ).
The old fashioned, two device (one router, one firewall) model would be to have the router set up with .107.154 on the serial interface (internet side), .129.33 on the ethernet interface, and the default gateway in the router set to .107.103 (to send all outbound traffic to your ISP).
You would then set the a firewall with .129.34 as the "outside" interface (it could be just a crossover cable to the router's ethernet interface), 192.168.1.1 as the "trusted" interface, and 192.168.2.1 for your DMZ, with the firewall having a default gateway of .129.33 (this sends traffic to your router's ethernet interface, and the router then forwards outbound traffic to the ISP).
You then would have a 192.168.1.0/24 internal subnet for your "inside" computers and devices, all devices having a default gateway of the firewall's trusted interface (.1.1).
You would also have a 192.168.2.0/24 DMZ subnet for your semi-public computers and devices, all having a default gateway of .2.1. The firewall would NAT your additional public IP addressses (.35-.38) into the the DMZ based on your DMZ rules.
If you have an "all in one" type router/firewall, it'd work something like what I described above, with the router/firewall unit having the entire .129.32/29 subnet for aliases on the DMZ subnet.
The entire DMZ setup depends on your firewall options, whether port forwarding or one-to-one address forwarding, or a combination of the two.
-jk
|
Top
|
|
|
|
#243145 - 14/04/2005 11:56
Re: VPN Help
[Re: djc]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
I think it'll be a heck of a lot easier to just put your modem in bridge mode and then plug it into your SonicWall and manage the rest from there (using the same settings you're using now.)
_________________________
~ John
|
Top
|
|
|
|
#243146 - 14/04/2005 13:27
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I'll explain what all of this means and you can draw conclusions from that based on what you want to do.
Quote: Customer's IP's or LAN IP's (For routers):
Static IP addresses:
64.197.129.33
64.197.129.34
64.197.129.35
64.197.129.36
64.197.129.37
Gateway:
64.197.129.38
Subnet Mask:
255.255.255.248
WAN Side (For routers):
IP Address:
69.125.107.154
Subnet Mask:
255.255.255.254
Gateway:
69.125.107.153
Let's start with the second part, the WAN. The IP address is the address you need to configure on your outermost IP device. This is the address that the ISP knows should be directly on the other side of their pipe. The gateway is what you should set the default route of that device to. It's the address of their device directly on the other side of the pipe from you.
The .254 netmask is a special case, and it's a fairly newly designed special case, which is why your router/modem/whatever won't take it. A subnet mask of .254 means that there are only two IP addresses in that subnet, but subnets are defined to have the first and last addresses be network and broadcast addresses, which are unusable by hosts. This has been changed to allow .254 netmasks to be a special case intended to specify a network used to connect two hosts together, and the network and broadcast address concepts are discarded, since they're useless in that configuration anyway. The old way to do that was to use a .252 netmask, which would be 4 addresses: the two hosts and the network and broadcast addresses. The point of the change is that in the new method, you get a 50% savings in IP addresses for those networks, which are fairly common these days. Anyway, using a .252 works for you because it incoporates the .254 network. I imagine that the ISP knows that it's possible for your device not to understand the .254 netmask, so probably kept the IP address for itself that's the one that would be a host address in the .252 network, otherwise your gateway would appear to be a network or broadcast address, and I'm not even sure that that would work, and if it did, it'd be less than optimal. (I can't tell if they've done the right thing without having at least the last octet as your actual number, and either you've changed it or your ISP is wildly screwed up.) The other problem is that you won't be able to communicate with the hosts that are in the other half of that .252 network at all.
Phew.
Now onto the first set of addresses, your static IPs. What's going on is that your ISP is routing the x.x.x.32/255.255.255.248 network to you via the WAN IP address. (In this case, your numbers work out, so you might have copied the last octets here. If so, the .32 and .39 addresses are your network and broadcast addresses.) That is, the ISP knows that it's not directly connected to that network, but it knows that they're accessible via your pipe. That means that you can do virtually anything you want to within your network. They have suggested that you configure the .38 address (again, if your numbers are vaguely accurate) as the inside of your router and use that as the gateway/default route for all the other computers, which get the other IP addresses as their own. Of course, you could set those IP addresses up in your firewall as NAT destination addresses, or on individual hosts or whatever. But you can do absolutely anything with that network you want to.
The "normal" thing to do would be to configure your firewall with all those addresses, use most of them for NAT, and use one or two as passthrough (or nearly so) for your DMZ hosts. Preferably, you'd want multiple internal interfaces on your firewall for that to separate the DMZ hosts from the others. (That would mean at least 3 interfaces total.) Or if you don't have that many interfaces, have the DMZ hosts not behind the firewall at all on the same network as the outside interface of the firewall. Of course, that means they'd be directly attached to the internet with no defenses but their own.
I hope that information helps you figure out what you need to do.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243147 - 14/04/2005 13:42
Re: VPN Help
[Re: gbeer]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: They are what determine if a packet stays on the LAN or is passed to the WAN. Given the list of static addresses earlier the mask should have been 255.255.255.216 216 is 39 after it was converted to binary, had all the digits inverted and then converted back to decimal.
Hope someone else will correct this if wrong.
You are wrong. I'm not entirely sure what you're saying, but you're wrong. The .248 netmask fits the address he gave (.33 to .38) perfectly.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243148 - 14/04/2005 13:50
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Wow, fantastic information and advice in this thread. Thanks very much, guys! Bitt, the explanation of the 252 versus 254 netmask is especially eye-opening. I was completely unaware of that. John, thanks for the explanation of the internal/external addressing. I think part of my confusion was due to most of that being either hidden or not configurable on my Netopia DSL router. Quote: I think it'll be a heck of a lot easier to just put your modem in bridge mode and then plug it into your SonicWall and manage the rest from there (using the same settings you're using now.)
I'd pretty much come to this conclusion myself last night, actually. It's simply a pain trying to configure that Netopia DSL router to do what I want. It's got a check box for bridge mode, I should just reset the thing and put it in bridge mode, then do everything from the sonicwall.
|
Top
|
|
|
|
#243149 - 14/04/2005 14:10
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
This is only tangentially relevant, but you might come across it at some point, so I'll go ahead and point it out. You can't make a subnet out of any random grouping of sequential IP addresses, even if it's a correct number of them (which will always be a power of two). The math involved means that 69.125.107.32/255.255.255.248 is a valid network of eight addresses, but 69.125.107.30/255.255.255.248 is not. That's the reason I claimed your .254 WAN network settings are screwed up -- because they can't make a valid network. The reason for this is that an IP address is made up of two numbers, the network number and the host number. The netmask defines how many bits the network number takes up, and, therefore, how many are left over for the host number. Obviously, all of the IP addresses in a given network must have the same network number. For an easy example, assume a netmask of 255.255.255.0. We're all fairly familar with that. That means that your network could encompass, for example, 192.168.1.0 to 192.168.1.255, but not 192.168.1.16 to 192.168.2.15. That seems obvious, but the math becomes a little more complex when you're translating binary numbers into decimal numbers that aren't as tidy as that example. Also, you may see netmasks described differently. For example, 192.168.1.0/255.255.255.0 might also be listed as 192.168.1.0/24. The old-style netmasks are really, in binary, a bunch of ones followed by a bunch of zeroes. The new way simply describes how many ones there are. There's a direct mapping: /25 is .128, /26 is .192, /27 is .224, /28 is .240, /29 is .248, /30 is .252, /31 is .254, and /32 is .255. Netmasks can be smaller, too, but you're not really going to encounter any of those. I point that out so that you can use aggis, which is a handy-dandy utility for figuring out network addressing. It requires that its input be in new-style format.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243150 - 14/04/2005 15:51
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
This is good information, thanks. I'd pretty much known most of that, but it makes me wonder about something specific. Meatballman might know the answer to this one. I'm using these instructions to configure the SonicWall as an L2TP server for Windows clients. This instruction sheet says: When creating a L2TP IP pool on the SonicWALL device, the IP addresses must be a unique IP subnet – you cannot specify IP addresses from the LAN (or any other) interface subnet on the device.But that's exactly what I *want* it to do. I want the people who are tunneling in to get fed IP addresses from the same pool as what's on the office LAN. So I'd want them to be in the same subnet. Do you think it possible to specify the DHCP pool on the SonicWall, and specify the LAN-side netmask, so that it can dole out half of the addresses in 192.168.2.xxx pool to the local DHCP users, and use the other half for the L2TP clients? What would those netmasks look like?
|
Top
|
|
|
|
#243151 - 14/04/2005 16:01
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
See? This is why I don't like Sonicwall. Those rules are highly unclear and apparently arbitrary. If they'd just come out and say what they mean in normal IP-speak instead of trying to be friendly about it, then you might not be able to understand it, but at least I would. As it is, I don't understand it and neither do you.
It's like you have to have a SonicWall expert instead of an IP expert. Sure, Ciscos and whatnot require some expertise, but that's just based on "what's the syntax", not "what the fuck are they talking about".
My guess is that you must use an IP address on the WAN side, but you only have one IP address assigned there. I'm not sure what they mean by unique, either. Maybe they mean globally routable (that is, not in the 10/8, 172.16/12, or 192.168/16 ranges)?
Edited by wfaulk (14/04/2005 16:05)
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243152 - 14/04/2005 16:29
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
Does the SonicWall NAT them to an IP address on the local subnet after assigning an IP from the "unique" subnet? Or does the firewall cleanly route between the local subnet and the unique subnet, and simply treat both as part of a larger "trusted" area?
-jk
|
Top
|
|
|
|
#243153 - 14/04/2005 16:32
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
I don't know. To either your question, or Bitt's. Maybe Meatballman would know.
|
Top
|
|
|
|
#243154 - 14/04/2005 16:55
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
So go ahead and try it! Use a differnet subnet (in my earlier example, try a pool in 192.168.3.0), and try connecting (from outside the firewall, of course - a dialup connection would work for testing). See what IP you get assigned on your remote computer. Then try to connect to a machine over a port you know (a web connection, some sort of terminal/vnc, etc), and do a netstat /a type of command to see what IP is connecting to the inside computer. Someone who obsesses over obscure registry entries to change miniscule windows settings should be able to poke at a firewall. Just save your existing firewall configuration so you can restore it when^h^h^h^h if you mess it up. -jk
|
Top
|
|
|
|
#243155 - 14/04/2005 16:59
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Yeah, I was gonna do that tonight.
3ven if I have to assign VPN users a 192.168.3.xxx subnet, I can add 192.168.3.xxx as a second valid address in the server configuration and then all should work at that point.
|
Top
|
|
|
|
#243156 - 14/04/2005 17:02
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
I'm not sure you'll need to add the address to the server, so long as any firewall-type software on the server recognizes the 192.168.3.0 subnet as part of the "trusted" environment. We have 20 some subnets as part of our trusted network, and our internal servers are quite content to trust the routers to send the packets where they're supposed to go.
-jk
|
Top
|
|
|
|
#243157 - 14/04/2005 17:20
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
Don't worry, the SonicWall will route the traffic between the two subnets and it will work the way you want it to work.
EDIT: yeah...what jmwking said.
_________________________
~ John
|
Top
|
|
|
|
#243158 - 15/04/2005 00:00
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: Don't worry, the SonicWall will route the traffic between the two subnets and it will work the way you want it to work.
It doesn't seem to be doing that.
I got it all working, as far as I could tell, according to these instructions. I put that annoying Netopia DSL modem in Bridge mode, and did everything on the Sonicwall. I can now, using those instructions, connect to the sonicwall L2TP VPN server from a remote computer.
The internal company network lies on the 192.168.2.xxx subnet. The main company file server is 192.168.2.1 and the internal LAN address of the SonicWall is now 192.168.2.2.
But because of that limitation stated in those instructions, the people dialing into the sonicwall vpn cannot use 192.168.2.xxx addresses. If I try to tell the sonicwall to give them those addresses, it complains that matches its internal subnet and won't let me save those changes.
So I configure it to give the VPN users addresses in the 192.168.3.xxx subnet instead, and that works, and I can connect to the VPN, except.... I can't ping the main server on the 192.168.2.xxx subnet. 3 doesn't route to 2.
One work around would be simply to add 192.168.3.1 as an alternate IP address for the main server. Then it would lie on both subnets and respond appropriately to the VPN users. This will work. However, I can foresee a day when I add more servers, and I don't want to have to remember to add two IP addresses to every server I add.
So, any ideas?
|
Top
|
|
|
|
#243159 - 15/04/2005 00:09
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: One work around would be simply to add 192.168.3.1 as an alternate IP address for the main server.
Hmph, that doesn't even work.
I have no way of knowing if this VPN connection is even working unless I can ping something on the local LAN. And everything on the local LAN is on .2.
|
Top
|
|
|
|
#243161 - 15/04/2005 02:34
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
Quote: When creating a L2TP IP pool on the SonicWALL device, the IP addresses must be a unique IP subnet – you cannot specify IP addresses from the LAN (or any other) interface subnet on the device.
I know knowthing about VPN's specifically, but I read through the whole linked document, and the only interpretation of that comment that I can figure out is that the IP's can't be from the LAN IP (dhcp) pool. The whole point of a VPN is that the IP's will be in the subnet, but since lower level traffic isn't getting through any existing DHCP server won't be able to hand out addresses. I assume the way to get around having seperate pools is to have a radius server that interfaces with the DHCP server, but since you're NATing you shouldn't have any shortage of IPs so that's kind of moot.
Matthew
|
Top
|
|
|
|
#243162 - 15/04/2005 05:07
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: This will, apparently, kill any TCP session that's been open for 15 minutes, no matter if it's being used. Or maybe there's an idle thing. I don't quite remember, but I do remember it turning off legitimate TCP traffic. Anyway, the setting is there as a global setting, but the global setting doesn't actually affect anything. You have to set it in the connection-specific area.
Do you happen to remember exactly which screen this is on?
I've been having some behavior on the unit that indicates it might possibly be doing this to me.
Man, that's bad if that's what it's doing. You'd think they'd fix that.
|
Top
|
|
|
|
#243163 - 15/04/2005 10:39
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
You probably can't just add the .3.1 address to the server as the server doesn't sit on the same physical network segment as the rest of the .3.0/24 subnet (which I suspect exists soley within the sonicwall box).
Can you ping from a .3.x address to any .2.x address (not just the server) and get a reply? Vice versa? Does the firewall have any log files showing what it's doing with the packets? Do you have any sort of sniffer to see if any .3.0 packets are entering the .2.0 subnet?
-jk
|
Top
|
|
|
|
#243164 - 15/04/2005 11:08
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
Quote: Do you happen to remember exactly which screen this is on?
Under Firewall->Advanced there is a a setting called "TCP Connection Inactivity Timeout - Default Connection Timeout (minutes):" This setting does not set the Timeout for everything on the box. It simply specifies what the default timeout will be for each new Access Rule that's created in the firewall. Each Access Rule has its own timeout.
Select the rule that reads "LAN * Any Allow" and hit configure. Go to the Advanced tab and you will find the setting "TCP Connection Inactivity Timeout (minutes):" Set it to whatever you like.
The default for the box is 5 minutes on every rule. If you want a specific service to have a higher timeout than the others, just create an Allow rule for that service and specify it there.
You accomplish bandwidth management in the same way.
_________________________
~ John
|
Top
|
|
|
|
#243165 - 15/04/2005 13:30
Re: VPN Help
[Re: JBjorgen]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Excellent. Found those screens. Taken care of. Hope that solves the problem. The problem was that the router seemed to "disappear" after a few minutes, and needed a reboot.
|
Top
|
|
|
|
#243166 - 15/04/2005 13:39
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: Can you ping from a .3.x address to any .2.x address (not just the server) and get a reply? Vice versa?
No, at least not that I can tell.
Quote: Does the firewall have any log files showing what it's doing with the packets?
Hm. I'll look.
Quote: Do you have any sort of sniffer to see if any .3.0 packets are entering the .2.0 subnet?
I could run ethereal I suppose, haven't tried that yet. I'm hoping that the SonicWall people know the answer to this question already and can help me. I think my support ticket sufficiently describes the problem. Crossing my fingers.
|
Top
|
|
|
|
#243167 - 15/04/2005 17:14
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Gah. I'm talking to Apu Nahasapeemapetilon.
|
Top
|
|
|
|
#243168 - 15/04/2005 17:32
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
You should get Jim Hogan involved. -jk
|
Top
|
|
|
|
#243169 - 15/04/2005 17:44
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Okay, I'm about ready to strangle someone.
I finally break down and decide that the only way around this for sure is to just use their "GlobalVPN" client software.
It was the thing I wanted to avoid... using third party network clients. But oh well, we bought this thing and now we might as well use it. Right?
I find out this thing isn't licensed for any VPN users. At all. Licenses for the GlobalVPN client software cost extra.
I just bought the one Meatballman linked for me. That pricepoint doesn't include clients. ARGH.
|
Top
|
|
|
|
#243170 - 15/04/2005 17:48
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
That's what you get for ignoring my caveats.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243171 - 15/04/2005 18:16
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
It was the only product I'd seen with a specific instruction sheet on how to do exactly what I wanted to do: Have a windows client dial in to a VPN router. I can't believe something so simple is so fucking hard to find.
And even with a specific instruction sheet for it, even that doesnt work. Argh.
Keep in mind that this is after I'd already bought a Linksys router that was SUPPOSED to do the same thing but couldn't actually.
|
Top
|
|
|
|
#243172 - 15/04/2005 18:31
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Okay, I'm rereading those instructions and they seem to make more sense now for some reason.
So you've successfully gotten remote clients to connect and get assigned 192.168.3.x addresses, right? And that's a separate pool from the .2 network that your in-office machines are on, right? So your problem at this point is that the routing doesn't work.
Let's investigate that.
I imagine that the routing from the .2 network to the .3 clients works fine because their default gateway is the SonicWall already. So your problem is probably that the clients don't know that the .2 network is on the other side of the VPN.
So let's veryify that quickly. Can you set it back up so that your client can connect? Then look at your routing table (route print). Then manually add a route that points the .2 network over the VPN connection. So that should look something like "route add 192.168.2.0 mask 255.255.255.0 192.168.3.x", where that last IP address is the SonicWall's address on the .3 network (which, hopefully, it has).
Then try to ping or something and see what happens. I know this isn't a good permanent solution, but at least you can see if this is what the problem is.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243173 - 15/04/2005 18:43
Re: VPN Help
[Re: tfabris]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
Consumer grade stuff doesn't do VPNs elegantly. And support is laughable at best.
I don't know sonicwall stuff at all, but I'm not encouraged from your experiences.
I've been very happy with the Watchguard stuff we use - it's relatively easy to configure, and has good support. I have 15 or so VPN tunnels between offices, and several roaming user connections (including an accountant in suburban London connecting back to our office in Alexandria, VA, and my laptop regularly from pretty much anywhere).
-jk
|
Top
|
|
|
|
#243174 - 15/04/2005 18:52
Re: VPN Help
[Re: jmwking]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
SonicWall claim not to be consumer grade.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243175 - 15/04/2005 19:03
Re: VPN Help
[Re: wfaulk]
|
enthusiast
Registered: 11/06/2003
Posts: 384
|
Quote: SonicWall claim not to be consumer grade.
Yeah, I'll give them that, they are exactly =one= step up from consumer (linksys, dlink) grade.
Watchguard is certainly better though my experiences haven't been as good as others. Then you have bespoke (linux, *bsd) stuff, which requires time and knowledge, but not money.
The upper tiers like Cisco, Checkpoint-1, Nokia, NetScreen, &c. I really like NetScreen, seems to be as poweful as anything else and a whole lot easier to make sense of. Compared to a PIX, oh my, life is soooo good.
--Nathan
|
Top
|
|
|
|
#243176 - 15/04/2005 19:05
Re: VPN Help
[Re: wfaulk]
|
old hand
Registered: 27/02/2003
Posts: 777
Loc: Washington, DC metro
|
Quote: SonicWall claim not to be consumer grade.
I really meant the Linksys...
-jk
|
Top
|
|
|
|
#243177 - 15/04/2005 20:38
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: So you've successfully gotten remote clients to connect and get assigned 192.168.3.x addresses, right? And that's a separate pool from the .2 network that your in-office machines are on, right? So your problem at this point is that the routing doesn't work.
Yes. That is exactly correct.
There's something I wasn't mentioning yet because it's a separate issue, but I can actually only do that if I use a dialup (i.e. not NATed) internet connection. But I was going to tackle THAT after I got a basic connection to the network functioning then go from there. So for now, let's look at what you just said...
Quote: "route add 192.168.2.0 mask 255.255.255.0 192.168.3.x", where that last IP address is the SonicWall's address on the .3 network (which, hopefully, it has).
Oddly, there doesn't really seem to be any ".3" network on the sonicwall at all. I think that's part of the problem.
It refuses to let me enter a proper IP address when it asks for the IP pool to feed the VPN users. So I don't think those addresses are routable at all. I've tried a bunch of variations on the ROUTE ADD command and it won't let me do it because any .3. address always generates a "bad address" error.
|
Top
|
|
|
|
#243178 - 15/04/2005 23:15
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Okay, maybe I misunderstood.
You entered a range of addresses into the SonicWall to be the ones handed out to VPN clients, right? And the VPN clients are successfully getting those IP addresses, right?
Does the SonicWall have an IP address in that range? If you can't see it configured anywhere, maybe you could ping all the addresses in that subnet and see if any other than the one configured on the client itself responds. If so, that's probably the SonicWall.
Hmm. Maybe I should take another tack and get you to post information extracted from the systems and find out whats going on. First let's get info from the VPN client.
Get a VPN client going and then post the output from "route print" and "ipconfig /all". Also try to ping one of your internal IP addresses and then do a "tracert" to that same address. Post all of that info and let's see where that leads us.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243179 - 15/04/2005 23:18
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Oh, and as far as the NAT thing goes, google for l2tp and "nat traversal". That should provide some information. At the same time, let's just attack one problem at a time.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243180 - 15/04/2005 23:25
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Quote: You entered a range of addresses into the SonicWall to be the ones handed out to VPN clients, right? And the VPN clients are successfully getting those IP addresses, right?
Correct.
Quote: Does the SonicWall have an IP address in that range?
It does not.
That's the irony of the whole thing. It won't let me hand out addresses in a range that the sonicwall occupies. I just don't GET that. I mean, what's the point, right. Gah.
Quote: Get a VPN client going and then post the output from "route print" and "ipconfig /all".
I'll PM it to you because some of those addresses are ones I don't want getting attacked externally so I don't want them published world-readable on the BBS.
Doing the tracert to the internal address would be an interesting test, I'll try that, too.
There's also a chance we're just gonna shell out and buy the freaking client licenses and run the globalVPN client software. I *KNOW* that works because I tried it and saw it work right up to the point where I exceeded the license count. And it also conveniently solves the NAT traversal problem, I could see in its log how it recognized the NAT and said okie dokie. So if we decide to do that, then this current problem becomes moot.
|
Top
|
|
|
|
#243181 - 16/04/2005 00:17
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Yeah, ok, the current plan is to just bite the bullet and buy the client licenses for their proprietary VPN client software, and not worry about this any more.
Thanks for all your help, Bitt, and everyone else.
|
Top
|
|
|
|
#243182 - 16/04/2005 00:22
Re: VPN Help
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
See? That's how they getcha!
_________________________
Bitt Faulk
|
Top
|
|
|
|
#243183 - 16/04/2005 02:34
Re: VPN Help
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
You have no idea. Client licenses for this thing are expensive.
But on the good side, the client software is super-easy to install and configure. It prompts them for the IP address, the preshared key, the user name, and the password, and bam they're in. No setups involving digging into the Windows configuration dialog boxes. This is a big bonus because the plan is to have some people installing this stuff who aren't necessarily very computer-literate. So I think it's worth it in this case.
|
Top
|
|
|
|
#243184 - 17/04/2005 12:42
Re: VPN Help
[Re: tfabris]
|
pooh-bah
Registered: 25/08/2000
Posts: 2413
Loc: NH USA
|
Tony, I support Sonicwall VPN with three users who don't know Outlook from Outlook Express and I've had no problems with the client software from SW, fwiw.
-Zeke
_________________________
WWFSMD?
|
Top
|
|
|
|
#243185 - 17/04/2005 13:51
Re: VPN Help
[Re: Ezekiel]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
|
Thanks, that's good to know.
|
Top
|
|
|
|
|
|