Does Cisco make a SSL VPN router, with a "simple" GUI config?

I would like to replace a Draytek 2900 at a couple of installations with something more reliable.

The router itself works OK but the VPN part of it has two issues:

a) it supports PPTP only (which many GPRS/3G networks do not support), we would like SSL

b) it crashes fairly regularly, and the router needs to have its power cycled to recover the VPN functionality.

Draytek make some SSL VPN products but support forum feedback suggests they are as buggy in this area as the old stuff.

I used to run Cisco 803 routers and they were absolutely solid, but impossible for me or anybody else working here to understand :)

I would pay up to £1000 / $1500 per box.

We use external ADSL modems so don't need an internal modem. We also need to port forward about 10 ports. Apart from that, that's about it. WIFI is not important.

Reply to
Peter
Loading thread data ...

You don't say how many users, which is important for Cisco licensing..

Ie. for SSL-VPN on Cisco branch routers, you will need to license it with the FL-SSLVPN25-K9 part # which is for 25 users. That is about $500 street price. The newest of the 800 series boxes is the 892 at about $800-$900 street price. Although there are older ones in that line too for less.

As to your GUI... Cisco keeps trying to make a GUI. They keep trying and trying, and making new products every 2-3 years.

For earlier 8xx boxes, there was SDM.

formatting link
For the 890 is seems there is a new one for it running at version 1.0 (whee).

formatting link

Perhaps you should look beyond Cisco though.

I would go with Fortinet for a firewall/router/VPN box. It has a built in web GUI (not extra software running on Java on your workstation). The GUI works very well. The boxes are rock solid. Only complaint I have is that their support isn't always that great, but I almost never have to go to them. Street prices on something like a Fortigate 60c should be about $500.

I would also look at the Juniper SRX, but I don't think they do SSL/VPN on this line yet, they want to do that on another box.

Reply to
Doug McIntyre

The VPN is used in two ways.

There is a router-router VPN, which is presently done with IPSEC/AES. This provides access between two sites. Maximum one user.

There is what Draytek call a "teleworker" VPN i.e. access from outside, typically originating via GPRS/3G or hotel WIFI. Current maximum one user; might be two one day. This one is done using PPTP a) because the 2900 supports PPTP only and b) because Windoze supports PPTP VPNs natively.

I will have a look - thank you. I have never heard of them sold here in the UK though.

I have also looked at Sonicwall but they seem to be $3000+ for the SSL VPN box.

Reply to
Peter

Buy a firewall with it built in, rather than the dedicated SSL VPN box. Much cheaper for fewer users, and does other things as well.

Reply to
alexd

Can you suggest any?

I was after a complete router with the SSL VPN functionality, not just an SSL VPN terminating box.

Reply to
Peter

No they don't and in general just stay away from the SRX as the software is buggy as hell, if its gonna be Juniper at all, go for the Netscreens/S= SGs. At least on the NetScreeen/SSGs PPTP is also supported, so there might also be a smooth transition.

The OP hasn't said for what he needs the VPN:

- Site to Site connectivity

- Roadwarriors connecting to the company network

Both can be achieved with IPsec which all of the boxes support out of the box. On the client side, you either use the on board means (e.g. on Windo= ws anything newer than XP is fine), or any of the various IPsec Clients you can either buy or get free of charge.

Ciao Chris

--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]

Reply to
Christian Hechelmann

What does that mean? Does the Draytek Software limit this, or is there just one guy using the site-2-site connection?

so there's not much load on the boxes it seems.

For the sizing of the replacemtns boxes you should consider the following= :

- technology used for the internet connection. Could be DSL, could be cable modem, could be a leased line, or whatever

- bandwith going through the box

- redundancy needed?

- features used/needed: IPsec? SSL-VPN?

- budget :-)

- Licensing costs

And do yourself a favor and get a support plan for the boxes you buy. they're ususally next to nothing compared to the cost of halting the entire company because there is no Internet, eMail, etc pp... =20

:-D Juniper gear is sold and used all over the world, as is Cisco. In the past Juniper comes from a carrier background, they only recently offer "end-user" gear.

Dedicated SSL-VPN boxes are usually not cheap at all. At least the Junper SA's do more than just connecting networks together.

Ciao Chris

--=20 All diese Momente werden verloren sein in der Zeit, so wie Tr=E4nen im Re= gen Dipl-Ing (FH) Christian 'Dr. Disk' Hechelmann IRC: DrDisk GPG Fingerprint: 53BF634B 28326F92 79651A15 F84ABB55 4F068E4E Ich finde, scharfe Waffen und "Feuer nach eigenem Ermessen" sollte zum Adminjob dazugeh=F6ren. [Lars Marowsky-Bree in d.a.s.r]

Reply to
Christian Hechelmann

Well yes, I think I suggested a TZ100 to you in uk.telecom.broadband a while ago :-) Small firewall with 5 interfaces and a single concurrent SSL VPN license, 5 site-to-site IPsec, 5 VLANs, unlimited devices on the LAN. Extra SSL licenses are ~£30 each.

I have no definitive proof that a Sonicwall is better than anything else, but I use this stuff every day and it seems to work, so that's why I'm suggesting it. It's certainly more cost-effective than an ASA. If I were forced to find fault with it, then I would say that I really do prefer devices with a plain-text configuration and a decent CLI, but then maybe I'm old-fashioned.

When does a router become a firewall and vice versa? Cisco ASA and Sonicwall both support dynamic routing protocols and Sonicwalls will do policy-based routing [send, say, the boss's web browsing down line one and the minion's web browsing down line two] and in my book those are "router" features. Cisco IOS, the quintessential router OS, supports firewally stuff like protocol inspection. A fully-featured firewall is indistinguishable from a fully-featured router, IMO.

OK. Sonicwall, amongst others, also make standalone SSL VPN termination kit, which is more appropriate for where you have tens or hundreds of users you want to give SSL VPN access to. I guess if you google "ssl vpn" you'll end up looking at dedicated stuff, rather than finding a lower-end all-in-one affair.

Reply to
alexd

Christian Hechelmann wrote

The answer is BOTH.

I don't think you can run IPSEC over GPRS/3G. I know of several people who have tried to make it work and don't know of anybody who has succeeded. PPTP (supported by both my old routers and by Windows as a client) at least works over most networks.

Reply to
Peter

Christian Hechelmann wrote

The latter.

Yes; very little.

Reply to
Peter

alexd wrote

Your memory is better than mine :)

Yes; I have visited this requirement before.

I have just looked at the TZ100. It is very cheap.

I am trying to work out if it will do what the Draytek 2900 is currently used for.

At the ADSL end we have a modem (D-link 300 on one site, Draytek 120 on the other site).

At the LAN end we have a 16-port ethernet switch.

There is some port forwarding configured, because both LANs have a web server running. Yes, the server's performance is not stellar, being on the 448k ADSL UPlink ;) but it's fine for the purpose.

There is also an email server at each site, getting an SMTP filtered-email feed from Messagelabs. The incoming email port is filtered by IP so that only the Messagelabs IP ranges (about 5 IPs) can make SMTP connections (we had massive spam problems before we went to ML).

So we port forward Port 80 etc.

Each router also has a DHCP server for the internal LAN.

Each router has wifi enabled although I am getting away from this, towards wifi bridges (Draytek 800) because Iphone4/Ipad2 wifi crashes the Draytek 2900 wifi subsystem ;)

The two sites are very similar in terms of router config.

Assuming the TZ100 can do this, I would buy a couple of them and see if I can get them to work.

Sure; understood.

Reply to
Peter

Why do you think that? We have used PPTP a long time over GPRS/3G but we have switched to L2TP/IPsec and we have experienced no problem at all, on two different providers. We use the standard VPN facility in Windows XP. You need to select L2TP, not Automatic, because Automatic means it will try PPTP first.

(we use a generic Cisco router with IOS)

The only problem is that connectivity is so flakey, resulting in frequent loss of the VPN connection. Automatic reconnect usually does not work because there is a stack of connections that need to be made, first from the laptop to the mobile network and then a VPN on top of that, and the correct sequencing is important. But that is true for any protocol. It only may be that certain custom VPN software would handle the problem more smoothly than bare Windows does.

Reply to
Rob

That's interesting. I have never tried that.

Does L2TP offer better compatibility with mobile networks? AIUI, PPTP requires the specific protocol support to be enabled in all the routers along the line.

I have found many WIFI networks which don't pass through PPTP (maybe the AP has just got the ports blocked) and quite a lot of GPRS/3G networks which do likewise, though this is less of a problem nowadays.

Why did you go to L2TP?

Yes; I have that problem when travelling, all the time.

On a recent trip to Greece I bought a local (Cosmote) data SIM, 2GB for 15 euros so great, except that it disconnects every few minutes, presumably to keep a lid on VOIP use, or movie downloads.

Incidentally, does anybody know about IOS (Ipad2) VPN compatibility with the Sonicwall products?

Reply to
Peter

You may experience trouble due to NAT. Do you get a private address on your GPRS/3G? Some 10.x.x.x address usually? This means there is a NAT between you and the internet, and most VPN protocols do not like that. On the subscriptions I have used, a public IP address is assigned to the mobile system. Then there usually still is some filtering, e.g. blocking of incoming TCP traffic, but it is OK for VPN. Sometimes you can switch between private and public addresses by selecting a different APN in the configuration of your modem. Ask your provider about it.

WIFI networks usually have NAT

Because it looks like L2TP copes better with links with packet loss than PPTP does. I have no hard evidence but some testing points out that the VPN performed better and was more stable in situations where the reception was marginal (and hence packet loss occurs, visible when you run a ping)

It is also more secure.

Reply to
Rob

Rob wrote

Why would that be?

If a client device needs to connect to a VPN server, the server's router needs to have port forwarding enabled on the VPN port(s).

With a VPN router, this is already done implicitly when you enable/configure the VPN.

One does not have that option when travelling. You end up on whichever

3G network you find.

I am not talking about the *server* end of the VPN being on 3G. That would be very tricky, unless you were given a fixed IP.

Comments as above, however. NAT is not a problem.

It is like if e.g. you run a web server behind a NAT router. You have to port forward Port 80 to the web server's internal IP.

That's interesting; worth a try.

Can you give more details?

A lot of people say PPTP is insecure but at the same time nobody seems to have developed a straightforward attack on it.

Reply to
Peter

Please study the matter more carefully. Protocols like PPTP do no use "ports". They are a protocol on their own, not using TCP or UDP but running directly on top of IP.

The "NAT model" does not cleanly apply to such protocols. Workarounds are possible, but with limitations.

Our workers only travel within the country and are always on the same network. Your situation may be different.

I think NAT is your problem. But maybe it isn't, and I am wrong. I cannot help you with that.

L2TP has an additional "shared secret" or PKI certificate in addition to the username/password authentication of PPTP.

Anyone knowing the username/password of one of your users can get in the PPTP server, and such information usually leaks out easily e.g. because workers share it with colleagues or it is overlooked when they enter it. With L2TP/IPsec you basically authenticate the machine in addition to the user.

Reply to
Rob

If that's the only issue, that's no problem for me because I am the only person using the VPN.

Reply to
Peter

The earlier versions of PPTP were also notoriously very insecure and easily cracked (easier than brute forcing the end users' password).

Certificates also comply with required enterprise policies (ie. two factor authentication required for VPN connections) from policy drivers like sarbox & PCI-DSS.

Reply to
Doug McIntyre

Interesting...

Looking at the Draytek 2900, the "teleworker" options I see are

PPTP IPSEC TUNNEL L2TP WITH IPSEC POLICY (with various options on that)

For some reason I was never able to get the last two to work. The Draytek support site has app notes for IPSEC between 2 routers (which I got working) and for PPTP for teleworkers (likewise). I never got any of the other options to work at all, over wifi, never mind GPRS/3G.

From vague memory, UK mobile networks which blocked PPTP were Orange and T-Mobile, though T-M has been OK for the last 2 years or so. And many others abroad also blocked it and do now.

I am looking at the Sonicwall TZ100 now,

formatting link
am having problems establishing whether it will do all we need. The spec is very brief and they offer no prebuy support.

Reply to
Peter

The other thought was:

If you are using RDP, then you are presented with a login prompt on the host machine. If you hacked into the system somehow, you still have to know how to login there.

Obviously any weakness is a weakness but I don't see how somebody hacking PPTP is going to get very far. At the far end, they will just see some machine on that IP, and if that is secured using a login and password, you can't browse it, etc. To get further, there have to be additional back doors.

Reply to
Peter

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.