VPN Solutions for Small/Medium Businesses?

artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"

One word: PIX

[overlord2]

Depending on what you mean by a 'small' company, I would look into using a Cisco PIX 506E. On CDW right now, they're ~$830. It sounds like it would meet all of your needs. I've used the PIX 506E for several smaller sites and it 'just works.'

Re:One word: PIX

[zerocool^]

Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company, and buy yourself a nice 24" LCD with the leftover $700.

30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.

~Will

Re:One word: PIX

[Jjeff1]

It's similar to a Pix 501, but certainly not a pix 506e. If I could pick up a pix 501 for under $200 though for my house, it seems like a good deal. A shiny green cisco logo not required for equipment in my attic.
But for any size business I don't think a pix 501 is a good choice for a VPN concentrator.

If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?

Re:One word: PIX

[sumdumass]

If the submittor already has a Windows network, which is likely, is there any reason not to use the PPTP already built into the Windows servers?

There are some limitations with the windows built in pptp services. This isn't even starting to mention that it is less secure (but sufficient in most cases) then a full blown IPSec using certificates.

One linitation I think we ran into is a praticle limit of about 5 or 6 conections at the same time. On ours, It would either drop conections to allow more then that or just crap out the entire server (win2003 server on a dell power edge Dual P4s and 1.5 gig ram). Dell confirmed this and the consultants they had install it confirmed it. We ended up using goto my pc for several workstations that were telecomuting wich opened the PPTP enough for the others needing it. I'm not happy with using goto my pc but i don't make them calls.

Re:One word: PIX

[NeonSpirit]

Be carefull with any Cisco PIX devices, whilst they work well and run the same code accross the product range (mostly) licensing and maintenance can be a pain. Funtionality is also dependant upon product, i.e. Failover is not available at the bottom end.

Maintenance is especcaly irritating when it comes to the Cisco VPN client, you cannot obtain a legitimate copy from the Cisco website, without a maintenence agreement. And there are fairly frequent updates.

Re:One word: PIX

I have an RV042 and a PIX 501 at home.

The RV042 is a horrible product. It reboots constantly, getting the VPN to work is a nightmare, and Linksys support is absolutely horrible. Linksys can't seem to be able to put out a decent VPN product.

The PIX 501 just works. VPN was an easy to setup and there is lots of free support on the web and in the newsgroups.

Based on my experience with the 501, the 506 would be a much better solution.

Linksys != Cisco.

Re:One word: PIX

[nologin]

If you are going to try to go with Cisco for VPN, I'd recommend going with an ISR (Integrated Services Router) before going with a PIX. You can get a good 830 series (for a really small setup) or an 1811/1812 for the same price as the PIX 506E, but it offers a lot more features. Firewall, VPN, IPS, built-in switch, router, and wireless (on the 1811/1812). It can't all be bad.

Oh, and to answer the cross-platform question, there are VPN clients for Windows, Solaris, Linux and Mac OS X.

Try Hamachi.

[Futurepower(R)]

I've been trying Hamachi. It seems to work as advertised. It makes a connection between a computer behind a hardware and software firewall with a cable ISP and another computer behind a hardware and software firewall with a DSL ISP. Both hardware firewalls have NAT (Network Address Translation. I know not everyone who reads Slashdot works with this.)

However, the cable ISP is Comcast. Comcast, in this area, seems to throttle or stop anything besides HTTP traffic.

Openvpn

Why not use openvpn ? We run this on Linux, Openbsd and Windows.

Re:OpenVPN

[jamesh]

I second that. Dead easy to set up, and does almost everything you could want.

The one and only 'gotcha' I found, is in situations where PTMU isn't working right and you are using compression on the tunnel packets. The MTU of the tunnel thinks it's 1500, but it should really be 1500 less the tunnel overhead. A ping shows that a 1500 byte packet gets though, but only because it's easily compressible data. When you start moving actual data around suddenly connections hang for no readily obvious reason. It could send a nerd mad!

IPCOP

[mcamino]

Hey. We run a medium sized ISP out of wilmington, delaware and we have hads GREAT luck using IPCOP and Linksys BEFSX41 endpoints. The linksys routers are easy to setup and configure and they can be bought cheaply on ebay or any staples or compusa. IPCOP is completely linux based , The setup is more idiot proof then a windows install, and it has a web based admin which rivals standard stand-alone routers. Ipcop can run on tons of hardware configurations. We personally run it with 5 Network cards and it handles the VAST MAJORITY OUR OUR ROUTING needs. did i mention ipcop is free? Give it a try.

Cisco VPN 3000

[anderiv]

At work (~90 employees...I guess that would qualify as medium-sized??) we use a Cisco VPN 3000 Concentrator. It's been rock-solid for us for two years now, and I'd highly recommend it. If you want to go the VPN-client route, cisco has official clients for Mac, Windows and Linux, but the box is also compatible with the PPTP vpn clients that come with most modern operating systems and it's also fully IPsec compatible. So...for example, if you wanted to, you could set up a linux gateway at home that would connect to your work VPN and establish a LANLAN VPN link.

If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.

DIY VPN

[strredwolf]

I've set up a PPTP VPN using a Ubuntu 5.10 server and PoPToP. All you need is to port forward the PPTP port to the set-up server.

Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:

http://mcarpenter.free.fr/Dev/pptp.php

All works fairly well.

Poptop

[PAPPP]

If you want good integration with windows (read: PPTP), and want to keep it on a nice cheap *nix box, try Poptop . Runs on most any *nix, entirely compatible with the builtin PPTP support in recent versions of windows. I've been running it for my own purposes (admittedly not on a "small business" scale, only one or two users) for years on a modest linux box and it hasnt given me any trouble connecting from WinXP or linux clients.

Windows Server 2003?

I'm not sure if you are using Windows Server 2003 on site, but if you have a license to it then Microsoft already has a VPN solution. See this how-to:
http://blog.hishamrana.com/2006/04/07/how-to-windo ws-2003-vpn-server/

OpenVPN

[peacefinder]

Go to openvpn.net. It's very straightforward to get a multiuser openvpn server up, using pre-shared keys or certificates. It's free, it's simple, it's multiplatform, and it's sufficiently secure for business purposes.

(However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)

If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.

Other Issues: Hamachi setup time. Insecurity.

[Futurepower(R)]

Other issues:

Hamachi setup: The setup time for Hamachi is exactly what they say: A few minutes. The interface is a bit quirky, and the documentaton is limited.

Anyone using Hamachi may want to run it as a service; see this explanation from Cyberonica.

Insecurity: Hamachi uses a very sensible technique for getting around firewalls and NAT. So does Skype VOIP. Of course, that means firewalls and NAT are not really protecting us.

In no way am I saying that Hamachi itself is insecure. I don't think that. They say all traffic is encrypted, and normally none passes through their servers. I am only saying that these techniques show the insecurity of our present protections.

ZoneAlarm Security Suite: We use ZoneAlarm Security Suite, a software firewall that notifies users every time something happens that might be an indication of a security breach.

If the users don't cooperate, and don't call us every time they see a notification, there is no security. ZoneAlarm's notifications are written in pure Geek, an unusual language which is used not to communicate but to pretend to communicate, while actually trying to avoid providing any useful information. Geek is a job security language, not a language for communication.

The real answer, of course, is to have a secure operating system, not one in which there is a lot of profit to be made selling the next version by criticizing the present version. We need an OS that is designed to be secure, not one that is allowed to be sloppy so that it is insecure.

Router VPN -- Netgear: We have had an enormous amount of trouble with Netgear router VPNs. We've had a lot of trouble with Netgear technical support. The Netgear products don't seem finished. Once they are working, our experience is that they stay working, with some quirks.

(Interestingly, Netgear is the worst company for avoiding sending rebates. We almost always have to go to the management of the store from which we bought Netgear equipment and have them get our rebates for us.)

My Experience

Maybe I'm just an idiot, but OpenVPN was difficult to sort out in the beginning. There really needs to be a quick setup guide that'll get you running in under 10 minutes. If not that, then maybe a GUI solution that's better than what currently is in place, especially for Windows installations. If this was done, I can imagine that OpenVPN would gain much more wide acceptance.

I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.

Re:My Experience

[youngerpants]

I have very recently (last week) set up an OpenVPN service for one of my clients on an Ubuntu box.

http://www.itsatechworld.com/2006/01/29/how-to-con figure-openvpn/

That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.

*shrug*

[Theatetus]

Small company? Then either openswan or PPTP on a commodity server. No need to take sledgehammers to a cockroach.

I use a Netscreen25 and Netgear ProSafe FVL328

[Yoweigh116]

I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not absolutely certain about the cross-platform client, so you can look that up yourself. ;)

In addition to the individual user VPNs, the Netscreen maintains persistant tunnels to two remote sites. They're equipped with Netgear ProSafe FVL328 routers. Less capable with low(er) throughput, but the branch end has to deal with a whole lot less traffic. The NS downtown maintains security with its lesser peers, too.

Re:OpenVPN behind a NAT?

[arivanov]

Bollocks.

It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.

If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.

A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.

In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.

Re:OpenVPN behind a NAT?

[JamesTRexx]

I have set up a new firewall at home last weekend using FreeBSD, PF, and OpenVPN. I haven't used PF and OpenVPN before and it took maybe one afternoon to set it all up so it's not that hard. (no, not a simple home version, but one involving crossing a firewall at work, and on my side separate networks for internal, dmz, and wireless) I'd say give it a shot and just build two test machines, especially because you can monitor realtime what PF is doing by using tcpdump on the pflog0 interface.

m0n0wall

I setup an IBM x300 server and m0n0wall as my router and it has worked fantastically. It supports IPSec tunnels, as well as PPTP connections. I have two IPSec tunnels to remote sites which both have PIX routers (501 and 506E), as well as connections from remote PPTP clients which is easy to setup and I have never had any problems. Highly recommended for anyone looking for both a simple and powerful solution.

Re:OpenVPN behind a NAT?

[Wudbaer]

I can confirm that it works fine with multiple clients behind a NAT firewall (which more often than not totally fucks up commercial IPSec-based VPN clients). I mean - it's basically SSL, so there is no reason why it shouldn't. Setup was a breeze, reliability in my book is very good. OpenVPN is much much better than the Watchguard MuVPN solution I replaced by it (basically a souped-up OpenSWAN with the SafeNet Soft Remote Client). Also clients are available for all mainstream platforms, which is also always a big problem with most commercial solutions.

Re:OpenVPN rawks the Casbah

[BeagleBoi]

You do realise that that Schneier article about flaws in Microsoft's PPTP is eight years old, right?

Microsoft released a patch/upgrade (DUN 1.3) for Windows 95, Windows 98 and Windows NT 3.51 which Schneier agreed fixed most of the problems.

Re: IPCOP -- I Second That

[InitZero]

I have used IPCop for many, many months. With
the OpenVPN addon, it makes a sweet RoadWarrior
setup. The OpenVPN GUI is even easy enough for
our executives to use.

For us and our 30-something employees, it cost
us nothing to put IPCop online. It ran for a
year on a P-III/700mHz/256M Dell. We recently
upgraded the RAM to 768M so we could make better
use of the Squid cache.

You can get an IPCop server online with VPN in
under an hour. As long as you have a computer
in the spare parts closet, IPCop is far less
expensive than any other solution.

Matt

racoon ISAKMP daemon

[Jizzbug]

racoon is a very good Internet Security Association Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) daemon. It is used to auto-negotiate keys for IPsec sessions.

At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).

We also have a third concentrator which is configured to use Xauth and /etc/passwd for authentication. This concentrator allows the Cisco VPN Client software to connect into the network for Road Warrior style access (also does much better with NAT traversal than tunnel-mode IPsec).

It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).

OpenVPN requires you to have access to the router.

[Futurepower(R)]

Note that OpenVPN requires that you have access to the router to open a port.

Hamachi works when you don't have access to the router. In some cases in which the router in administered by someone who won't give you access, Hamachi can work where OpenVPN won't.

OpenBSD is made for stuff exactly like this

OpenBSD vpn(8) man page
Zero to IPSec in 4 minutes
OpenBSD IPSec with Cisco HOWTO (slightly old, but may still be useful to you as a pointer in the right direction)
And don't forget to check out the mailing list archives

I use OpenBSD on my Sokeris firewalls and they run very well indeed.

MOD parent down as an idiot

[macdaddy]

The Cisco Pix (now ASA) product line are not even distantly related to any LinkSys on the market. Cisco does not make Linksys products. Linksys makes Linksys products. Yes, I'm well aware that Cisco bought Linksys on 3/21/03 but that does not change the fact that Cisco's and Linksys products are not in any way related, yet. There isn't a single product in either company's arsenal that crossover. I work for a Cisco Partner and I with Pixs every day.

That said I'd recommend either a Pix 501 or 506 for a SOHO until Cisco finishes their replacement in the ASA product line. If neither of those devices will fit your needs then I'd recommend stepping up to a x800-series Cisco router. All current Cisco ISR routers have builtin hardware encryption from the basic 850 all the way up to the 3845. Gone are the days of the 2600s which required addon modules. Easy VPN(tm) is quite nice as is the basic IPSec offerings. If you need something even better then step up to a low-end ASA. The ASA 5510 is very nice. The 7.x code on the Pix/ASA line is a major improvement (as is the replacement of the PDM with the ASDM).

How small?

[WhiteWolf666]

Are we talking 5-10 man offices, over a DSL line?

Get a WRT54G. Run DD-WRT. Use either the PPTP server or OpenVPN.

Done and done.

Of course, your WRT54G won't handle more than 10 users or so; you'll want to switch to a dedicated box or router for that. But you can't beat it in terms of cost/avaliability-- you can get this sucker up and running in 5 minutes flat, pick one up from bestbuy for ~$50, and there are no moving parts whatsoever.

For a very small office, its great. For a series of small offices in a larger company, its okay too. We use this sort of segmented VPN in our offices because of bandwidth reasons; we don't have enough uplink at any given location to really setup a better solution, and we can't financially justify purchasing more than 1 Mbit/s of uplink anywhere.