«

Peter <> writes:
>I would like to replace a Draytek 2900 at a couple of installations
>with something more reliable.

You don't say how many users, which is important for Cisco licensing..

Ie. for SSL-VPN on Cisco branch routers, you will need to license it
with the FL-SSLVPN25-K9 part # which is for 25 users. That is about
$500 street price. The newest of the 800 series boxes is the 892 at
about $800-$900 street price. Although there are older ones in that
line too for less.

As to your GUI... Cisco keeps trying to make a GUI. They keep trying
and trying, and making new products every 2-3 years.

For earlier 8xx boxes, there was SDM.

http://www.cisco.com/en/US/prod/coll...d800fd118.html

For the 890 is seems there is a new one for it running at version 1.0 (whee).

http://www.cisco.com/en/US/prod/coll...78_462210.html


Perhaps you should look beyond Cisco though.

I would go with Fortinet for a firewall/router/VPN box. It has a built
in web GUI (not extra software running on Java on your workstation). The GUI
works very well. The boxes are rock solid. Only complaint I have is
that their support isn't always that great, but I almost never have to
go to them. Street prices on something like a Fortigate 60c should be
about $500.

I would also look at the Juniper SRX, but I don't think they do SSL/VPN on
this line yet, they want to do that on another box.

Christian Hechelmann <> wrote

>Doug McIntyre <> wrote:
>> Peter <> writes:
>>>I would like to replace a Draytek 2900 at a couple of installations
>>>with something more reliable.
>>
>> I would also look at the Juniper SRX, but I don't think they do SSL/VPN on
>> this line yet, they want to do that on another box.
>
>No they don't and in general just stay away from the SRX as the software
>is buggy as hell, if its gonna be Juniper at all, go for the Netscreens/SSGs.
>At least on the NetScreeen/SSGs PPTP is also supported, so there might
>also be a smooth transition.
>
>The OP hasn't said for what he needs the VPN:
>- Site to Site connectivity
>- Roadwarriors connecting to the company network

The answer is BOTH.

>Both can be achieved with IPsec which all of the boxes support out of the
>box. On the client side, you either use the on board means (e.g. on Windows
>anything newer than XP is fine), or any of the various IPsec Clients you
>can either buy or get free of charge.

I don't think you can run IPSEC over GPRS/3G. I know of several people
who have tried to make it work and don't know of anybody who has
succeeded. PPTP (supported by both my old routers and by Windows as a
client) at least works over most networks.

> Ciao Chris

Christian Hechelmann <> wrote

>Peter <> wrote:
>>
>> Doug McIntyre <> wrote:
>>
>>>Peter <> writes:
>>>>I would like to replace a Draytek 2900 at a couple of installations
>>>>with something more reliable.
>>>
>>>You don't say how many users, which is important for Cisco licensing..
>>
>> The VPN is used in two ways.
>>
>> There is a router-router VPN, which is presently done with IPSEC/AES.
>> This provides access between two sites. Maximum one user.
>
>What does that mean? Does the Draytek Software limit this, or is there
>just one guy using the site-2-site connection?

The latter.

>>
>> There is what Draytek call a "teleworker" VPN i.e. access from
>> outside, typically originating via GPRS/3G or hotel WIFI. Current
>> maximum one user; might be two one day. This one is done using PPTP a)
>> because the 2900 supports PPTP only and b) because Windoze supports
>> PPTP VPNs natively.
>
>so there's not much load on the boxes it seems.

Yes; very little.

>For the sizing of the replacemtns boxes you should consider the following:
>- technology used for the internet connection. Could be DSL, could be
> cable modem, could be a leased line, or whatever
>- bandwith going through the box
>- redundancy needed?
>- features used/needed: IPsec? SSL-VPN?
>- budget
>- Licensing costs
>
>And do yourself a favor and get a support plan for the boxes you buy.
>they're ususally next to nothing compared to the cost of halting the
>entire company because there is no Internet, eMail, etc pp...
>
>> I will have a look - thank you. I have never heard of them sold here
>> in the UK though.
>
> Juniper gear is sold and used all over the world, as is Cisco. In the
>past Juniper comes from a carrier background, they only recently offer
>"end-user" gear.
>
>> I have also looked at Sonicwall but they seem to be $3000+ for the SSL
>> VPN box.
>
>Dedicated SSL-VPN boxes are usually not cheap at all. At least the Junper
>SA's do more than just connecting networks together.
>
> Ciao Chris

alexd <> wrote

>Peter (for it is he) wrote:
>
>> alexd <> wrote:
>
>>>Buy a firewall with it built in, rather than the dedicated SSL VPN box.
>>>Much cheaper for fewer users, and does other things as well.
>>
>> Can you suggest any?
>
>Well yes, I think I suggested a TZ100 to you in uk.telecom.broadband a while
>ago

Your memory is better than mine

Yes; I have visited this requirement before.

I have just looked at the TZ100. It is very cheap.

>Small firewall with 5 interfaces and a single concurrent SSL VPN
>license, 5 site-to-site IPsec, 5 VLANs, unlimited devices on the LAN. Extra
>SSL licenses are ~£30 each.

I am trying to work out if it will do what the Draytek 2900 is
currently used for.

At the ADSL end we have a modem (D-link 300 on one site, Draytek 120
on the other site).

At the LAN end we have a 16-port ethernet switch.

There is some port forwarding configured, because both LANs have a web
server running. Yes, the server's performance is not stellar, being on
the 448k ADSL UPlink but it's fine for the purpose.

There is also an email server at each site, getting an SMTP
filtered-email feed from Messagelabs. The incoming email port is
filtered by IP so that only the Messagelabs IP ranges (about 5 IPs)
can make SMTP connections (we had massive spam problems before we went
to ML).

So we port forward Port 80 etc.

Each router also has a DHCP server for the internal LAN.

Each router has wifi enabled although I am getting away from this,
towards wifi bridges (Draytek 800) because Iphone4/Ipad2 wifi crashes
the Draytek 2900 wifi subsystem

The two sites are very similar in terms of router config.

Assuming the TZ100 can do this, I would buy a couple of them and see
if I can get them to work.

>I have no definitive proof that a Sonicwall is better than anything else,
>but I use this stuff every day and it seems to work, so that's why I'm
>suggesting it. It's certainly more cost-effective than an ASA. If I were
>forced to find fault with it, then I would say that I really do prefer
>devices with a plain-text configuration and a decent CLI, but then maybe I'm
>old-fashioned.
>
>> I was after a complete router with the SSL VPN functionality,
>
>When does a router become a firewall and vice versa? Cisco ASA and Sonicwall
>both support dynamic routing protocols and Sonicwalls will do policy-based
>routing [send, say, the boss's web browsing down line one and the minion's
>web browsing down line two] and in my book those are "router" features.
>Cisco IOS, the quintessential router OS, supports firewally stuff like
>protocol inspection. A fully-featured firewall is indistinguishable from a
>fully-featured router, IMO.

Sure; understood.

>> not just an SSL VPN terminating box.
>
>OK. Sonicwall, amongst others, also make standalone SSL VPN termination kit,
>which is more appropriate for where you have tens or hundreds of users you
>want to give SSL VPN access to. I guess if you google "ssl vpn" you'll end
>up looking at dedicated stuff, rather than finding a lower-end all-in-one
>affair.

Peter <> wrote:
> I don't think you can run IPSEC over GPRS/3G. I know of several people
> who have tried to make it work and don't know of anybody who has
> succeeded. PPTP (supported by both my old routers and by Windows as a
> client) at least works over most networks.

Why do you think that?
We have used PPTP a long time over GPRS/3G but we have switched to
L2TP/IPsec and we have experienced no problem at all, on two different
providers.
We use the standard VPN facility in Windows XP. You need to select
L2TP, not Automatic, because Automatic means it will try PPTP first.

(we use a generic Cisco router with IOS)

The only problem is that connectivity is so flakey, resulting in
frequent loss of the VPN connection. Automatic reconnect usually does
not work because there is a stack of connections that need to be made,
first from the laptop to the mobile network and then a VPN on top of that,
and the correct sequencing is important. But that is true for any
protocol. It only may be that certain custom VPN software would handle
the problem more smoothly than bare Windows does.

Peter <> wrote:
>
> Rob <> wrote:
>
>>Peter <> wrote:
>>> I don't think you can run IPSEC over GPRS/3G. I know of several people
>>> who have tried to make it work and don't know of anybody who has
>>> succeeded. PPTP (supported by both my old routers and by Windows as a
>>> client) at least works over most networks.
>>
>>Why do you think that?
>>We have used PPTP a long time over GPRS/3G but we have switched to
>>L2TP/IPsec and we have experienced no problem at all, on two different
>>providers.
>>We use the standard VPN facility in Windows XP. You need to select
>>L2TP, not Automatic, because Automatic means it will try PPTP first.
>
> That's interesting. I have never tried that.
>
> Does L2TP offer better compatibility with mobile networks? AIUI, PPTP
> requires the specific protocol support to be enabled in all the
> routers along the line.

You may experience trouble due to NAT.
Do you get a private address on your GPRS/3G? Some 10.x.x.x address
usually? This means there is a NAT between you and the internet, and
most VPN protocols do not like that.
On the subscriptions I have used, a public IP address is assigned to
the mobile system. Then there usually still is some filtering, e.g.
blocking of incoming TCP traffic, but it is OK for VPN.
Sometimes you can switch between private and public addresses by selecting
a different APN in the configuration of your modem. Ask your provider
about it.

> I have found many WIFI networks which don't pass through PPTP (maybe
> the AP has just got the ports blocked) and quite a lot of GPRS/3G
> networks which do likewise, though this is less of a problem nowadays.

WIFI networks usually have NAT

> Why did you go to L2TP?

Because it looks like L2TP copes better with links with packet loss
than PPTP does. I have no hard evidence but some testing points out
that the VPN performed better and was more stable in situations where
the reception was marginal (and hence packet loss occurs, visible when
you run a ping)

It is also more secure.

Rob <> wrote

>Peter <> wrote:
>>
>> Rob <> wrote:
>>
>>>Peter <> wrote:
>>>> I don't think you can run IPSEC over GPRS/3G. I know of several people
>>>> who have tried to make it work and don't know of anybody who has
>>>> succeeded. PPTP (supported by both my old routers and by Windows as a
>>>> client) at least works over most networks.
>>>
>>>Why do you think that?
>>>We have used PPTP a long time over GPRS/3G but we have switched to
>>>L2TP/IPsec and we have experienced no problem at all, on two different
>>>providers.
>>>We use the standard VPN facility in Windows XP. You need to select
>>>L2TP, not Automatic, because Automatic means it will try PPTP first.
>>
>> That's interesting. I have never tried that.
>>
>> Does L2TP offer better compatibility with mobile networks? AIUI, PPTP
>> requires the specific protocol support to be enabled in all the
>> routers along the line.
>
>You may experience trouble due to NAT.

Why would that be?

If a client device needs to connect to a VPN server, the server's
router needs to have port forwarding enabled on the VPN port(s).

With a VPN router, this is already done implicitly when you
enable/configure the VPN.

>Do you get a private address on your GPRS/3G? Some 10.x.x.x address
>usually? This means there is a NAT between you and the internet, and
>most VPN protocols do not like that.
>On the subscriptions I have used, a public IP address is assigned to
>the mobile system. Then there usually still is some filtering, e.g.
>blocking of incoming TCP traffic, but it is OK for VPN.
>Sometimes you can switch between private and public addresses by selecting
>a different APN in the configuration of your modem. Ask your provider
>about it.

One does not have that option when travelling. You end up on whichever
3G network you find.

I am not talking about the *server* end of the VPN being on 3G. That
would be very tricky, unless you were given a fixed IP.
>
>> I have found many WIFI networks which don't pass through PPTP (maybe
>> the AP has just got the ports blocked) and quite a lot of GPRS/3G
>> networks which do likewise, though this is less of a problem nowadays.
>
>WIFI networks usually have NAT

Comments as above, however. NAT is not a problem.

It is like if e.g. you run a web server behind a NAT router. You have
to port forward Port 80 to the web server's internal IP.

>> Why did you go to L2TP?
>
>Because it looks like L2TP copes better with links with packet loss
>than PPTP does. I have no hard evidence but some testing points out
>that the VPN performed better and was more stable in situations where
>the reception was marginal (and hence packet loss occurs, visible when
>you run a ping)

That's interesting; worth a try.

>It is also more secure.

Can you give more details?

A lot of people say PPTP is insecure but at the same time nobody seems
to have developed a straightforward attack on it.

Peter <> wrote:
>>You may experience trouble due to NAT.
>
> Why would that be?
>
> If a client device needs to connect to a VPN server, the server's
> router needs to have port forwarding enabled on the VPN port(s).
>
> With a VPN router, this is already done implicitly when you
> enable/configure the VPN.

Please study the matter more carefully.
Protocols like PPTP do no use "ports". They are a protocol on their
own, not using TCP or UDP but running directly on top of IP.

The "NAT model" does not cleanly apply to such protocols.
Workarounds are possible, but with limitations.

> One does not have that option when travelling. You end up on whichever
> 3G network you find.

Our workers only travel within the country and are always on the same
network. Your situation may be different.

> Comments as above, however. NAT is not a problem.

I think NAT is your problem. But maybe it isn't, and I am wrong.
I cannot help you with that.

>>It is also more secure.
>
> Can you give more details?
>
> A lot of people say PPTP is insecure but at the same time nobody seems
> to have developed a straightforward attack on it.

L2TP has an additional "shared secret" or PKI certificate in addition
to the username/password authentication of PPTP.

Anyone knowing the username/password of one of your users can get in
the PPTP server, and such information usually leaks out easily e.g.
because workers share it with colleagues or it is overlooked when they
enter it. With L2TP/IPsec you basically authenticate the machine in
addition to the user.

Peter <> writes:
>>L2TP has an additional "shared secret" or PKI certificate in addition
>>to the username/password authentication of PPTP.
>>
>>Anyone knowing the username/password of one of your users can get in
>>the PPTP server, and such information usually leaks out easily e.g.
>>because workers share it with colleagues or it is overlooked when they
>>enter it. With L2TP/IPsec you basically authenticate the machine in
>>addition to the user.

>If that's the only issue, that's no problem for me because I am the
>only person using the VPN.

The earlier versions of PPTP were also notoriously very insecure and
easily cracked (easier than brute forcing the end users' password).

Certificates also comply with required enterprise policies (ie. two
factor authentication required for VPN connections) from policy
drivers like sarbox & PCI-DSS.

Peter <> wrote:
> From vague memory, UK mobile networks which blocked PPTP were Orange
> and T-Mobile, though T-M has been OK for the last 2 years or so. And
> many others abroad also blocked it and do now.

We use T-Mobile and KPN in the Netherlands and both are OK for PPTP
and for L2TP/IPsec.

On KPN we use the APN that provides transparent access, but I think it
works on the default (firewalling) APN as well.