We use T-Mobile and KPN in the Netherlands and both are OK for PPTP and for L2TP/IPsec.
On KPN we use the APN that provides transparent access, but I think it works on the default (firewalling) APN as well.
That is a very useful data point - thank you.
Incidentally, on one of the Youtube videos on how to set up the VPN on an Ipad, it shows PPTP, L2TP, or IPSEC. It appears to have 3 tabs. Does that make sense?
It is also possible to use bare IPsec for a VPN. In a roaming user scnenario, it is probably better to use L2TP on top of that, but for fixed VPN setups it is usually not used.
One of the toughest things about VPNs, is that there are many technologies, and people call them different items depending on how they are using/defining things.. There is nothing too universal about it.
In the Apple iOS case, PPTP is straight up. L2TP is L2TP over IPSec like normal, although needing some specific requirements on the backside. But the IPSec option is actually 'Cisco Anyconnect VPN client'. It can't connect to anything but a Cisco VPN server. Furthermore, the design of the OS and sandboxing prevents any other VPN client "Apps" to be written and be used effectively.
Your best universal case on Apple iOS is L2TP.
The warning is about not being able to use RDP client Java applet from the web interface of the firewall. You can use the built-in iOS VPN client to connect to the firewall, then I presume you could use an RDP "app" once connected.
AKA a "VPN client", yes. Global VPN for IPsec remote access, and for SSL VPN access, the client is downloaded from the web interface when the user connects.
With regards to pre-sales support, forget getting it directly from any enterprise networking vendor. They all want to you either look at the KB on their website or speak to one of their resellers. Google 'sonicwall uk' and try ringing one of the resellers that turns up on the first page.
Doug McIntyre wrote
Many thanks for that explanation.
My latest Ipad2 also has only those three options, so I have no idea how anybody manages to get SSL VPNs running on it, despite this
Again, SSL VPN means many things to many people.
In some instances, it just is a tunnel to an internal web site.
Other implementations have tunnelling software they download to the client over the web link. Others have full desktop clients that communicate over "SSLVPN".
I recommended Fortinet earlier. They do all three of these scenarios. They also have an iOS SSLVPN App. All it is able to do is the first case, browse an internal web site. Ie. you start up the FortiVPN App. You bring up the VPN, and then you can see a website beyond the VPN gateway with the web browser the SSLVPN App presents.
I don't know of anything specific Juniper or Cisco have done with SSLVPN Apps. I think that is just Marketing getting ahead of themselves..
Doug McIntyre wrote
Ok; that's very clever.
Can you suggest a product? Their website is highly opaque, with stupid categories like 'big business ' 'small business' etc.
I have emailed them too.
Many thanks for another very useful reply.
This is a good learning experience because in the long run I have to manage this myself - even if I get somebody to initially set it up for me. That rules out Cisco ;) Even their silly old PCMCIA WIFI adaptors have proven opaque in their implementation of supposedly trivial stuff like WEP, and I never managed to make WPA work.
Sadly SSLvpn (aside from e.g. OpenVPN) seems to be mostly geared towards roadwarriors and not site-2-site connectivity, I personally only know the Juniper SA series and they are not suitable for site-2-site.
There's nothing inherently to GPRS/3G that would make IPsec fail, though. But carriers often (always?) like to NAT the "internal" portion of the network towards the mobile device, and don't care if it breaks IPsec (since its not an advertised feature). Also some carriers might outright block it. YMMV.
Hmm, from a technical stnadpoint, if PPTP works, so should IPsec. PPTP does connection setup via tcp/1723 and then sends the traffic via GRE which is even more easily broken by (Hide)NAT. IIRC there is no encapsulation available at all form PPTP. L2TP however goes via udp...
Ciao Chris
--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]
Rob wrote: =20
T-mobile Germany does NAT, I got a 10.x.x.x IP from the mobile network wh= en i just checked with the company droid sitting next to me. my private 3G USB= stick using german carrier E-plus on the other hand gets me a public IP. So thi= s might also be APN dependant...
Yeah, and often horribly b0rked consumer routers doing fun things with pa= ckets....
Ciao Chris
--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]
Juniper SAs do all:
- Browser only, SA more or less acts as a proxy
- SAM (Secure Application Manager), java or antive code downloaded to cli= ent and run, hacks up name resolution for traffic to be forwarded to 127.0.= x.x adresses and captures and forwards any connention, works for outbound connections only.
- Network Connect, native client downloaded and installed, full L3 routed= VPN tunnel, any IP protocol works, inbound connections also possible.
There is a component that can be preinstalled to the client ("Juniper ins= taller service") so the user does not need administrative privileges to run/inst= all/update the client components.
From Juniper there is JunOS Pulse client, but thats a mixed experience...= *sigh*
Ciao Chris
--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]
I second that.
Ciao Chris
--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]
Christian Hechelmann wrote
I currently run IPSEC/AES for the site-site VPN. That's not an issue.
From my very limited digging, the only people I found who are running IPSEC over GPRS/3G are using high-end-administered systems e.g. Cisco employees ;) And they will be accessing a private APN.
AIUI, if you are on GPRS/3G, and are abroad, your data goes **in the phone network packets** all the way to your home country, all the way to the APN there. It does not get connected to the internet where you are locally. So a private APN should work wherever you are in the world.
If L2TP uses UDP for everything, it should work a lot better on mobile networks, because they lose packets fairly frequently, and suffer sometimes long delays. TCP/IP does not handle this too well. At the extreme end you have satellite phones which are truly rubbish and I suspect most of the professional service providers (e.g. aviation weather) on those just use UDP.
alexd wrote
As one of my 3 Draytek 2900 routers has just blown up ;) I will have to move on this.
Not one router supplier has responded to my questions on capabilities so I will probably just have to buy a TZ100 and see what it can be configured for...
The FortiGate line is their all-in-one firewall/VPN solution.
They just scale up from small to huge (ie. 40Gbps solutions).
I think you've said you have a small office. I'd look at the FGT-60C or FGT-80C products. All the products act much the same, you are only buying capacity (or some higher end feature like LAPD/LAG capabilities, available on the 200B and up).
There are extra add-on subscription for anti-virus/IPS/SPAM filter updates. Or just the bare "unbundled" box.
I'd stay far away from the Fortigate 30. The 50B works alright, but is almost the same price as the 60C, and the 60C has much more capacity.
L2TP doesn't use pure UDP. The most common implementations is L2TP over IPSec. (unlike say, an L2TP tunnel from cisco router to router).
L2TP encapsulates the tunnel into UDP packets (port 1701), which are then encapsulated in IPSec ESP protocol packets (protocol 50, the port of the packets inside is opaque to the outside).
So, you'd be back to seeing if the cell data network let you use protocol 50 across it or not..
Doug McIntyre wrote
OK.
There seems to be a big variation in the way that different mobile networks are configured.
Even on non-internet stuff there are differences. For example, I found in the development of a fairly obscure product, that Virgin supports GSM FAX whereas T-Mobile doesn't - despite V running *over* the T-M network ;)
Currently, I am getting adequate results running PPTP (which historically often failed to work) on T-M, both UK and abroad. Vodafone is also OK.
Doug McIntyre wrote
Many thanks. Looking at it now.
I need the basic router functions, port forwarding etc, plus
1) Site-site VPN (currently IPSEC/AES256 but it hardly matters how it is done). This is used only with RDP or PC/Anywhere. Only 1 user at any one time. 2) Remote-access VPN (currently PPTP; SSL would be good) with WinXP and IOS (Ipad) clients. Usage as above. 3) The ability to block incoming traffic to an SMTP email server (on the internal LAN) except on about 5-6 IP ranges. The current Draytek 2900 manages this but only just, and configuring it is a real pig.I don't need remote admin; in fact we disable it.
It does need to be rock solid reliable though.
I think the Fortigates are the fullest feature set firewall/router on the market.. And they are fairly well priced for the market they are going after. Plus, they have a pretty decent GUI (especially compared to Cisco/Juniper in this area). It seems they just can't get their name out there..
Sure. The 60C does 100 VPN tunnels. You'd get bigger boxes if you need more. (that is probably just a marketing limit to put in some limit, it'd probably do more, although I've never had the opportunity for it.).
Yep, PPTP, L2TP over IPSec, SSLVPN, IPSec. Although PPTP is depreciated, you have to set it up from the CLI instead of the GUI. Same with L2TP for some reason (not sure why it isn't fully in the GUI). WinXP and iOS clients are best with L2TP over IPSec. There's a tech note about the few extra settings for iOS clients that wasn't in the manual.
They are trying to go for the auto-configure IPSec client setup lately, although I still prefer the old-school set every little parameter type setups myself.
No problems here, firewall policy statements are thorough and feature rich. Setup your address range objects, bind them in a group, one policy is all that is needed. Rate limit per policy, IPS per policy. Scheduling time-of-day per policy.
Sure, click a button what management protocols you want per interface. Turn it off and VPN in for access.
I've got dozens and dozens deployed. Some uptimes are in the 3year+ range.
I would recommend a reboot/firewall update somewhat sooner than that though..
The only downside I think for the Fortigate's is that the support isn't all that great for them. But then again, Watchguard/Sonicwall/Symantec support isn't all that great either. But I rarely need it either. I've had one that had infant death with bad flash, and seen a couple others that weren't mine die (but got replaced on maintenance). But overall, I think real solid boxes.
Just an update - I have ordered one Sonicwall TZ100W.
I will try to configure it at one site (my home) first, replacing one of the Draytek 2900 routers. I found some old web review of the TZ100 where the reviewer got it talking via the VPN (IPSEC I think) to a Draytek router, so this box might even work without me having to change the other one as well :)
The Fortigate product looks a lot more feature-packed and faster but I don't think we need the performance. Everything we are doing is limited by the two ADSL speeds. We are not doing any LAN firewall stuff.
Many thanks for all your input.
Peter wrote
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.