|
Posted by Mike Drechsler - SPAM PROTECTE on February 27, 2006, 2:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> "Mike Drechsler - SPAM PROTECTED EMAIL"
>> Fred Marshall wrote:
>>> In other words:
>>>
>>> Can one run two VPNs through a Linksys router? Which one? Any other
>>> simple router model of any manufacture?
>>>
>>> Thanks,
>>>
>>> Fred
>>>
>> SNIP
>>
>> Yes
>> RV series
>> Too many to mention.
>>
>> Have you even bothered to look at the Linksys website? If it says VPN
>> endpoint then you can bet the device is limited to 1 or 2 simultaneous VPN
>> connections. If it says VPN router then it's likely 50 simultaneous VPN
>> connections. I would never suggest using any of these routers if you have
>> anywhere close to 50 simultaneous connections running. But for connecting
>> a handful of sites it should work. Perhaps if you had 50 home office
>> users that only access the VPN connection occasionally it might work but I
>> imagine even doing key renegotiations for 50 unused tunnels might stress
>> out a Linksys router.
>>
>> If you need to connect sites and you consider this link important then you
>> should get a consultant who has experience in this area. Your diagrams
>> seem to indicate that you don't quite "get it".
>
> Mike,
>
> Thanks for the reply. You're right, I don't quite get it. So, I'm
> learning. And, oh yes, I've looked at the Linksys website quite a bit. My
> problem is mostly with the lingo which I'm picking up. It's more difficult
> because there seem to be so many VPN schemes.
>
> I'm focusing on Linksys because I work with them often enough at the low
> end, it's what's installed and it's what one of our local ISPs uses. We've
> discussed the RV series.
>
> Maybe you could clear up a nagging question for me:
>
> I see reference to "tunnel" and I see reference to "passthrough" and I see
> reference to "end point". I have a pretty good idea what an end point is.
> But, I don't understand the difference between tunnel and passthrough.
>
> My problem with what I find on the Linksys website is that it seems to talk
> about the devices as VPN end points but not so much about passthrough. For
> example, I can find that there are some of their products that will support
> only one VPN passthrough at a time but no mention, except by implication, of
> products that will support more than one VPN passthrough at a time. Oh yes,
> they talk about more than one end point being implemented but not clearly
> more than one passthrough. So, it's not a dumb question.
>
> One of my problems is that I don't maintain a "lab" where I can buy a bunch
> of stuff and try it out. I have to be conservative in selecting devices
> because I want them to work when I put them in the network. But, I may have
> to just buy one or two of the RV devices for learning.
>
> The architecture I had in mind when I wrote the original post was to
> continue using a NAT device at the front end and to have VPN end points and
> the LAN Internet firewall inside of that device.
>
> Yes, one can ask "why?". It's because there was a desire/need in the
> original architecture to have a cascaded NAT firewall arrangement. It's
> what was implemented and I'd hoped to keep the configuration unless it's
> more trouble than it's worth. And, presumably it would limit the number of
> static public IP addresses we'd need.
>
> My hope that the VPN operations would be transparent to the NAT device (or
> vice versa) - but I have some doubts. I guess an RV at the front end would
> handle this configuration in a routing table - which isn't transparent but
> would be just fine.
>
> Fred
Passthrough means that the router has absolutely no VPN capability built
in. It simply will allow someone inside the network to use VPN software
without blocking the connection. "The connection passes through the
router". This also assumes that the VPN endpoint you are connecting to
supports the address translation that is applied when it passes through
the NAT router so it's no guarantee that a link could be established.
The reason that it usually only supports a single connection to pass
through is that if you had 2 internal computers trying to connect to the
same VPN server it wouldn't be able to tell which computer to send the
inbound traffic since IPSec traffic (the VPN protocol most people use)
is not transmitted using ports like TCPIP so it cannot look at the port
numbers to determine which computer the packet is intended for.
Tunnel is basically another word for connection.
Endpoint is a device actually participating in creating the connection
or tunnel. In this case the device supports the VPN protocol and is an
active participant in the connection.
There is not going to be much difference between the linksys router that
only functions as an endpoint and the one that functions as a router
except for capacity. The endpoint device simply doesn't have software
to support more connections and it likely is also too slow to support
more than the 1 connection it supports. The other devices may have
special chips to speed up the encryption so that they can support more
simultaneous tunnels. Encrypting the data can be very intensive on the
processor.
Most VPN implementations will require a static IP on your VPN gateway.
The IP address becomes part of the identity of the device when building
the connection. You can think of the IP address as part of the username
if you will when the devices connect with each other. If you create a
static IP main mode VPN connection (A technical VPN term) then the two
endpoints will reject inbound connection attempts from IP's it does not
recognize. At the very least you will need to forward the ports the VPN
needs anyhow so you aren't actually more secure with NAT in front of the
VPN endpoint since the traffic it's listening for just gets forwarded
anyhow. Unless there is some hidden port the VPN router is listening on
this really will not improve the security of your VPN device. Because
you would need to use an aggressive mode connection to support the NAT
you would actually be lowering the security of a site to site link
(although the reduction is fairly trivial)
The RV device would go directly to the modem, you would dump the old
device completely from the picture. The VPN gateway would be your NAT
as well as a VPN box. You can connect a VPN in parallel to an existing
firewall, but in your case the firewall it's replacing doesn't give any
exceptional benefit so there's not much point in running in parallel
like that.
If you need to gain experience you could probably find some cheap gear
on ebay or setup a software router on an old PC with a few spare network
cards and a Linux or BSD router distribution. For low end I have been
recommending Netopia 3386-ENT routers. They can be bought cheap and
they expose you to a pretty good set of features for the price. They
may be cheap enough for you acquire for the sole purpose of testing.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map