1. Home
  2. Virtual Private Networks
  3. vpn hardware solution

vpn hardware solution

Hello, first let me say that I am not a network expert at all, and also thanks to whoever takes the time to read this. I work for a company that makes industrial monorail systems for the laundry industry. We will go into large industrial buildings and install many different network devices including computers, plcs, and remote IO devices. All of our devices need to have static IP address. We need to troubleshoot our devices remotely and most often we accomplish them by making the facility provide us with a dedicated phone line to our main PC, which although slow, is very reliable and simple to set up. Some customer are unwilling to give us phone lines and give us only a network connection and set up a VPN for us. This works but currently it seems that different IP departments set up VPNs differently, and sometimes we need special software to connect. We also don't know how to make these VPN's work without changing all of our network devices IP address (sometimes over 100 devices) to match the IPs of the VPN we are given. We would love to always go with VPN connections over a phone line because of the speed and other features we could use of having our systems on the internet, but would like them to work the same all the time and not require us to change the IP addresses of our devices. We were wondering if there was perhaps a hardware solution for this. Perhaps we could provide our customer with some type of VPN router that we tell our customers to just give internet too? Should we have too network cards in our main PC? I really have no idea how this type of networking works, but I feel that a solution for a problem exists. Thanks.

Larry

Reply to
Larry Erickson
Loading thread data ...

Same problem here, different customers have different VPN implementations, IP ranges and restrictions. Most customers will not let you put anything on their network that connects directly to the internet and is outside their direct control. The current solution is to use a separate (minimal) virtual machine for each customer, and let the customers' IT support install whatever they deem necessary on that to get a VPN link working. VM goes back to the office, gets installed on a common server, and whoever needs to do support for that customer connects to the VM.

If you like to keep your static IP address layout the same across multiple installations, you will need to separate your control network completely from the client's network, in case a client also uses that range on their network (a good idea anyway for other reasons) and run another tunnel (e.g. VPN or SSH with port forwarding) into that. Most major network vendors sell boxes that can be (ab)used for that, alternatively a small headless PC-like device (Soekris or similar) with two network adapters and Linux will do the job.

J.

Reply to
jack masters

Thanks a lot for your response. It is nice to know that other people have similar situations. I am pretty unfamiliar with virtual machines so I have a couple more questions. First, what is the reason most customers will not let you connect directly to the internet? Is is security, cost, or another reason? Is there anything that can be done to make this idea more appealing to customers? Also if you could connect directly to the internet, what would be the best way to remotely connect?

We do like to keep all of our static IP address layouts the same across all our installations. As far as the virtual machine solution goes, what do you recommend using for a windows platform. I think you were saying to set up our normal network setting on our main pc, and then install a virtual machine on that pc also which the customers IT department installs their VPN link software. We then connect through the VPN to our pc's virtual machine, in which we can access our other network devices somehow. In your last paragraph, are you saying that we should always be using two network cards, or use a hardware solution that can provide the same thing? Sorry for all the questions, and again thanks for responding.

Larry

Reply to
Larry Erickson

Thanks a lot for your response. It is nice to know that other people have similar situations. I am pretty unfamiliar with virtual machines so I have a couple more questions. First, what is the reason most customers will not let you connect directly to the internet? Is is security, cost, or another reason? Is there anything that can be done to make this idea more appealing to customers? Also if you could connect directly to the internet, what would be the best way to remotely connect?

We do like to keep all of our static IP address layouts the same across all our installations. As far as the virtual machine solution goes, what do you recommend using for a windows platform. I think you were saying to set up our normal network setting on our main pc, and then install a virtual machine on that pc also which the customers IT department installs their VPN link software. We then connect through the VPN to our pc's virtual machine, in which we can access our other network devices somehow. In your last paragraph, are you saying that we should always be using two network cards, or use a hardware solution that can provide the same thing? Sorry for all the questions, and again thanks for responding.

Larry

Reply to
Larry Erickson

Various security concerns; from the customers' point of view: 'There is something on my network that is connected directly to the internet; I have no control over setup, security updates etc., so I am not happy." If you do not have to be connected to the customer's own network (e.g. for SCADA systems that the customer wants to see from his desktop) there is normally no problem besides the cost of a separate connection. If there *is* a need to be connected to the customers' network, the best solution is to have the customer put in a firewall between your network and theirs. That puts updates and firewall maintenance responsibility on them too ;)

Correct. We use VMWare, it is OS-independent for what we use (Windows VM running under Linux or Windows). Install VMWare on a laptop, let the customer play around in a VM to set up VPN, and copy the VM off the laptop later. On the server in the office you end up with a collection of VMs, if customer X needs support fire up the VM for customer X and connect. Caveat: most VPNs restrict any other network access as long as the VPN is connected, so if you have to copy files back and forth between office and site you have to copy them to the VM first, connect, then copy to site.

Matter of personal preference, and budget. I prefer a separate device (e.g. I can also use it as a DHCP server for connecting laptops on-site, and set it up as a proper firewall between control network and generic office network), but a solution with two network cards, one inside the customer's network and one on the control network can work too. Beware of routing pitfalls if the customer's IP ranges overlap yours. If you have the customer give you VPN access they might even be able to put a firewall/router in that gives you direct access; otherwise you will have to set things up so that you have access through their VPN to a single IP address on the second network card, run a VPN or SSH server on your machine, and route through there into the rest of the control network. Standard boxes exist that can do this (Cisco ASA series comes to mind, other brands have similar things, but there you are talking fairly serious money). If you have the expertise in-house (or can borrow it from somewhere) to set up a small Soekris board it might be more cost-effective. And nobody says you can't have a back-up modem line attached to the same box, as a back-up in case the VPN doesn't work. At one site we have a little GSM modem that has come in handy when somebody dug up both the primary *and* the back-up network lines near a customer's site.

All in all, it depends on how much money you want to spend, and how much time in setting it up. A second-network-card solution might be a bit of a pain to get set up, but if it is well-documented you start seeing the savings with the next site.

J.

Reply to
jack masters

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.