I don't have much experience with either of the above routers. Most of my VPN's are terminated with Sonicwall, Netscreen or products. Well, a few Linksys BEFVP41 boxes (non-wireless). Most of these talk to other identical routers to form the VPN between a central office and a remote office. Users with laptops use various VPN clients including the PPTP client that comes with Windoze.
In theory, any IPSec VPN client will work. I use clients from SafeNet, Cisco, Sonicwall, and open source. Unfortunately, I haven't tried whatever Netgear is selling:
formatting link
at the photos, it appears to be the same as SafeNet.
formatting link
Where the VPN client runs is irrelivent. It can be on a PDA, palmtop, notebook, laptop, desktop, Mac, PC, Linux, etc. There is no such thing as "VPN's that originate on the Internet". It has to come from a machine. As long as it talks IPSec or PPTP, you can play VPN from anywhere.
One gotcha is that the routers have to be able to accomidate "VPN passthrough" for whatever protocol (IPSec, PPTP) you're using. Most routers have this feature, but also limit the number of VPN tunnels. This has become a problem with some popular hot spots, where the wireless router can only handle about 10 VPN tunnels, and all the clients are using VPN's.
DD-WRT comes with a PPTP VPN server. I installed pptpclient:
formatting link
mine to allow a router to router VPN. I just noticed that it comes with the current version (V23) of DD-WRT. Oops. The chart at:
formatting link
that Talisman 1.05 includes pptpclient, but when I went looking for it, it wasn't there. There's also a post by James Ewing of Sveasoft claiming that it's there, when it wasn't:
formatting link
dump Sveasoft.
If you want to do an IPSec VPN, you'll need someones custom compiled image. I've read articles that claim they exist, but I haven't seen one. Google finds numerous questions, but nothing definitive.
For DD-WRT, there's also the VPN version of the firmware, which includes OpenVPN.
formatting link
is SSL based. This is probably the best way to go but I haven't had the need to try it. However, it's not easy. The easiest way is the standard firmware and the Microsoft PPTP client.
formatting link
usual screwup is the really weird format of the user/password file with "*" as a delimiter.
Talisman does. Looking at the pptpd documentation, I think I may have misunderstood what the server IP needs to be. I think I need one IP for the router itself, and another IP for the pseudo-device in the pptp server. I'll have to try it again, this evening.
I'm beginning to think you're right. Anyway, easy enough to install DD-WRT and restore it to Talisman if I prefer it.
I'll probably stick to pptp, since most of the clients are Windows
Yeah, but I never even got that far. It never sends me any GRE packets back, which makes me think it's a firewall issue, but turning off any packet filtering at either end didn't seem to help.
WEP with a decent passphrase (use hex key to embed in laptop) should be fine for most purposes. If you are the Bank of England maybe you need more. Why is someone going to sit around and hack your wireless network when just down the street the neighbor in the white house with blue shutters has a wide open network.
Think of this like a burglar alarm on your house, will it actually stop a determined thief, absolutely not, will it get 99.99% of them to try the house next door without the alarm, of course. Why struggle with an alarm if the pickings are easier just a few feet away.
Remember your online banking etc is down via SSH anyway (https) so that in itself is additonal security. If you are just not going to be happy, there are those services that will let you VPN into their network and then they route your traffic. In some public hotspots likely not a bad idea. But you can use them for every day use if you wish. I think there are free ones and fee ones. Shop around before you buy.
Can someone explain this 'termination' business? I'm puzzled as my office VPN works absolutely fine through my SMC WBR8204 router, and all I had to do was open some ports on the f/w. Furthermore I've read various online articles about setting up VPNs and not seen any particular mention of this. Mark McIntyre
Sure. A VPN is a tunnel. A tunnel with only one end is a cave. There's no such thing as a VPN cave unless you need a place to store surplus bytes.
When you connect through a VPN, the VPN server (termination) at the other end of the tunnel has an IP address pool that delivers an
*ADDITIONAL* IP address to your workstation. This new IP address is part of the remote network.
Example: You have an NAT router connected to the internet. The WAN IP can be anything. Your LAN IP address is 192.168.1.21 Your gateway IP address is 192.168.1.1 (same as your router). Now, you connect to a remote VPN server (termination). It gives you an additional IP address on its network as 192.168.25.53. Note that this IP cannot be in the same class C IP block as your own LAN.
In addition, it may give you a default gateway that points to it's default gateway. For example, the gateway may be 192.168.25.1. All your internet traffic will then go through this remote gateway. Having everything go through the remote gateway may not be a good idea. For example, it will effectively prevent you from browsing the internet if the remote gateway goes only to the remote LAN. There's usually a check box hidden under numerous advanced menus, that looks something like: [ ] Use default gateway on remote network. If you check it, everything goes to the remote gateway. If you don't check it, everything destined for the internet will go through your local router, while everything destined for 192.168.25.xxx will go through the VPN tunnel.
Working correctly, a VPN Tunnel should effectively look like your workstation was on the remote LAN. Everything you could do if you were located on the remote LAN, can be done through the VPN tunnel. If you it "browser network neighborhood", you should see all the machines on both the remote and the local LANs. Same with printers, servers, shares, and some devices.
Different types of VPN's use different port numbers and services. If you're using MS PPTP for a VPN, all you need is port 1723. You also need the ability to handle GRE (general router encapsulation protocol). It's GRE that causes problems as it requires special handling by the router. Most routers have it but vary in how many streams they can handle, which limits the number of simultaneous VPN connections through the router.
That's the problem, there's no such thing as a decent passphrase. The passphrase generators don't generate a key which is stronger than any other, the implementation of WEP is simply weak.
hmmm. I think "termination=server" might have been sufficient for Mark's question, but this is all good for me :-)
*ding*,*ding*,*ding*! How come? That's not what the Talisman help said - it said "not in the DHCP range of your LAN". So my DHCP server is at
192.168.22.1 and gives out addresses in 192.168.22.100-150. I made the PPTP server address 192.168.22.10 and _it's_ assigning addresses in
192.168.22.20-30 range. I guess that's wrong.
It doesn't have to be a "server". It can be terminated in the router at the other end.
Slow down. My explanation wasn't all that clear. Let's try again. Note the "111" and "1" in the 3rd octet below. This is how my office and home networks are setup. To keep it simple, my gateway router, DHCP server, and PPTP terminating server, are all built into the gateway router (WRT54Gv3 with DD-WRT v23).
Remote LAN Class C IP address block: 192.168.111.xxx Remote LAN router IP address: 192.168.111.1 Remote LAN DHCP IP address pool: 192.168.111.100 -> 150 Remote LAN PPTP IP address pool: 192.168.111.90 -> 99
Local LAN Class C IP address block: 192.168.1.xxx Local LAN router IP address: 192.168.1.1 Local LAN DHCP IP address pool: 192.168.1.100 -> 150 Local LAN PPTP IP address pool: 192.168.1.90 -> 97 (Optional)
WAN (internet) IP's are whatever the ISP delivers and can be anything.
I'm sitting on the Local LAN and the DHCP server gives me an IP address of perhaps 192.168.1.102. The Local LAN gateway is
With this arrangement, I now have a 2nd IP address for the VPN. All my internet traffic now goes through the VPN tunnel. My Skype connection and GAIM connections immediately complain I'm logged in twice since they're now going through the tunnel at the office and then to the internet. I can surf the web, but it's kinda slow because I'm limited by the outgoing bandwidth of my office DSL connection. If I wanted, I could have unchecked the box buried in somewhere in the PPTP VPN client settings that said "use gateway on remote server". When I hit network neighborhood, I can see all the machines and print servers in my palatial office.
I don't know what the Talisman docs are mumbling about. The warning might be to NOT duplicate the IP address block at both ends. It can be done by carefully not duplicating any IP addresses on either end of the tunnel, but the chances of getting that right is about zero. Some VPN routers (Sonicwall) handle the duplicated class C IP address block problem gracefully. Others (Linksys BEFVP41) don't.
Where it screws up is if the Remote LAN is using the common
192.168.1.xxx and the DHCP server at some hot spot delivers
192.168.1.xxx. When you connect to this VPN, it could easily create an unuseable system with duplicated IP's. It's not too bad if the gateway points to the Remote LAN as all traffic to Local LAN devices, except the wireless router, ceases. That will work. But, if you have to still access machines on the Local LAN, then there's a problem. That's why my office LAN is 192.168.111.xxx so that I can VPN from any common network (except 111). The most common complaint is if the Local LAN has a network printer, they complain that they can't print while connected to the VPN.
Even more complications:
Note the "optional" 192.168.1.90 -> 97 block at the local router. That's for a symmetrical system, where someone from the Remote LAN, might want to connect to the Local LAN via another tunnel. This is the common way I do router to router VPN's. You can open a tunnel from either direction.
Note that there are two IP address "pools". One is for DHCP. The other is for PPTP. They are different and cannot overlap. Users (and brain dead admins) should be warned to not assign fixed IP's in either range. This may have been what the Talisman docs were mumbling.
The function of broacast based services such as DHCP and network browsing depends on how the VPN terminating router handles broadcasts. Many routers just block them as they're really not necessary and contribute substantial useless traffic through the tunnel. However, that means that network browsing will fail. So, you can always use: Start -> Run -> \\netbios_name_of_windoze_server or Start -> Run -> \\ip_address_of_server to open a remote server, share, or directory. Also works for remote printers.
IPSec VPN's are identical except they all multiple layers of authorization, authentication, anti-spoofing, encryption, and protocols. I other words, there are more options to confuse. However, once connected, they operate exactly the same as PPTP.
Netscreen routers are nice because it can do both PPTP and IPSec VPN's simultaneously. The remote users use PPTP because its simple. The router to router connections use IPSec, because it's more secure.
Right, so we're basically talking about a router that can act as a VPN server for incoming connections. Fine, I understand now, I don't need that I think.
Yeah, it has to be a server. A server is just the program that terminates the connection. Yes, I know that's circular, but then so was "termination=server"
...
Apparently they weren't mumbling, since that's exactly what it says. But I'm trying to access the PPTP server in my _own_ router. You're talking about using it to get from one LAN to another over the Internet; I want to use it as my gateway _to_ the Internet. So if there's a prohibition against it's addresses being in my own Class C block, that could be my problem.
Well, you CAN use the same Class C IP block if you adhere to three limitation:
Absolutely no duplicated IP addresses on both LAN's, expecially the two gateway routers. If you home router is 192.168.1.1, then the remote router CANNOT be 192.168.1.1. However, it can be 192.168.1.2. That implies that the DHCP IP address blocks on each router must be different and not overlap.
If you use the remote routers as your gateway to the internet through the VPN, you will loose all contact with other machines on your local LAN.
If broadcasts are blocked by either router, you will not be able to use "Browse Network Neighborhood". If broadcasts are passed, then you run the risk of having the remote DHCP server assign local IP's. That implied that you should have different DHCP IP address blocks on each router.
Not a pressing issue. The WLAN is really just for sharing an Internet connection - I don't want the other homeowner browsing my machines, and rarely have an interest in my own pair talking to each other.
In any case, I'll worry about that when I get the rest working.
Replying to an oldish post I know, but you're simply repeating what was said above. If its terminating, its a server. If that happens to be inside your router, then thats interesting but beside the point.
Again, you've used a different approach. That hasn't secured WEP, that has secured the application layer. What if I'm using NetBEUI or IPX or any other protocol that doesn't offer a winsock interface and hence no SSL?
I don't care what *extra* encryption methods are added, adding them means that WEP isn't the security method hence WEP hasn't been secured. The link would be as secure using SSL either with or without WEP.
It was implicit ;)
Of course, that's all i've been doing for no other reason than for the sheer bloody mindedness :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.