VPN Solutions for Small/Medium Businesses?

artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"

One word: PIX

[overlord2]

Depending on what you mean by a 'small' company, I would look into using a Cisco PIX 506E. On CDW right now, they're ~$830. It sounds like it would meet all of your needs. I've used the PIX 506E for several smaller sites and it 'just works.'

Re:One word: PIX

[zerocool^]

Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company, and buy yourself a nice 24" LCD with the leftover $700.

30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.

~Will

Openvpn

Why not use openvpn ? We run this on Linux, Openbsd and Windows.

IPCOP

[mcamino]

Hey. We run a medium sized ISP out of wilmington, delaware and we have hads GREAT luck using IPCOP and Linksys BEFSX41 endpoints. The linksys routers are easy to setup and configure and they can be bought cheaply on ebay or any staples or compusa. IPCOP is completely linux based , The setup is more idiot proof then a windows install, and it has a web based admin which rivals standard stand-alone routers. Ipcop can run on tons of hardware configurations. We personally run it with 5 Network cards and it handles the VAST MAJORITY OUR OUR ROUTING needs. did i mention ipcop is free? Give it a try.

Cisco VPN 3000

[anderiv]

At work (~90 employees...I guess that would qualify as medium-sized??) we use a Cisco VPN 3000 Concentrator. It's been rock-solid for us for two years now, and I'd highly recommend it. If you want to go the VPN-client route, cisco has official clients for Mac, Windows and Linux, but the box is also compatible with the PPTP vpn clients that come with most modern operating systems and it's also fully IPsec compatible. So...for example, if you wanted to, you could set up a linux gateway at home that would connect to your work VPN and establish a LANLAN VPN link.

If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.

DIY VPN

[strredwolf]

I've set up a PPTP VPN using a Ubuntu 5.10 server and PoPToP. All you need is to port forward the PPTP port to the set-up server.

Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:

http://mcarpenter.free.fr/Dev/pptp.php

All works fairly well.

Poptop

[PAPPP]

If you want good integration with windows (read: PPTP), and want to keep it on a nice cheap *nix box, try Poptop . Runs on most any *nix, entirely compatible with the builtin PPTP support in recent versions of windows. I've been running it for my own purposes (admittedly not on a "small business" scale, only one or two users) for years on a modest linux box and it hasnt given me any trouble connecting from WinXP or linux clients.

OpenVPN

[peacefinder]

Go to openvpn.net. It's very straightforward to get a multiuser openvpn server up, using pre-shared keys or certificates. It's free, it's simple, it's multiplatform, and it's sufficiently secure for business purposes.

(However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)

If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.

OpenVPN rawks the Casbah

[Xenophon+Fenderson,]

I really like OpenVPN. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea.

I'm using OpenVPN to tie routers running OpenWRT (Linux), routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.

My Experience

Maybe I'm just an idiot, but OpenVPN was difficult to sort out in the beginning. There really needs to be a quick setup guide that'll get you running in under 10 minutes. If not that, then maybe a GUI solution that's better than what currently is in place, especially for Windows installations. If this was done, I can imagine that OpenVPN would gain much more wide acceptance.

I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.

Re:My Experience

[youngerpants]

I have very recently (last week) set up an OpenVPN service for one of my clients on an Ubuntu box.

http://www.itsatechworld.com/2006/01/29/how-to-con figure-openvpn/

That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.

M$oft.

[ikejam]

MS ISA Server.

HEY I'm just providing an alternative.

Re:OpenVPN behind a NAT?

[arivanov]

Bollocks.

It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.

If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.

A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.

In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.

Re:More about OpenVPN behind a NAT firewall.

[dwater]

You might want to try contacting the author to see if he is available for consultation. My company hired him to build our prototype system - his rates are very reasonable, and obviously he is the authority since he wrote it.

snapgears!

[alta]

Cyberguard bought snapgear, but they still sell the same products. These are great little boxes that we used to set up a 7 office network across the state of alabama across whatever networks were cheapest (cable, dsl, T1)

We had 530s in each of the hub offices and a 575 in the main office. (Still have the 575, have since closed all the branches) I still have the 530s and I refuse to sell them because they are such nice little boxes. I'm going to take one home and make it vpn back to here.

Re: IPCOP -- I Second That

[InitZero]

I have used IPCop for many, many months. With
the OpenVPN addon, it makes a sweet RoadWarrior
setup. The OpenVPN GUI is even easy enough for
our executives to use.

For us and our 30-something employees, it cost
us nothing to put IPCop online. It ran for a
year on a P-III/700mHz/256M Dell. We recently
upgraded the RAM to 768M so we could make better
use of the Squid cache.

You can get an IPCop server online with VPN in
under an hour. As long as you have a computer
in the spare parts closet, IPCop is far less
expensive than any other solution.

Matt

racoon ISAKMP daemon

[Jizzbug]

racoon is a very good Internet Security Association Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) daemon. It is used to auto-negotiate keys for IPsec sessions.

At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).

We also have a third concentrator which is configured to use Xauth and /etc/passwd for authentication. This concentrator allows the Cisco VPN Client software to connect into the network for Road Warrior style access (also does much better with NAT traversal than tunnel-mode IPsec).

It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).