I need to find a VPN solution that will allow users to connect to multiple sites simultaneously from one workstation. I have two production sites and are implementing firewalls in order to better secure the sites. I need to put a VPN appliance in each site and have the users tunnel into both sites at the same time. Currently, I am struggling with MS RAS. It is the only solution I have found that will allow a user to tunnel in to two or three sites at the same time, but I am having trouble with routing and other things. I have a Cisco 3000 series VPN, but it doesn't do what I need it to do. Does anyone have any product suggestions?
I have firewalls at many clients locations, all of them, different brands, allow the creation of "Branch Office" IPSec tunnels between their main/remote offices. As an example, one client has 8 offices outside their main office, they have it setup like a spoke design, but without the wheel around it. The main office can reach all 8 offices, all 8 offices can reach the main office, the 8 offices can not reach each other - this is by design, not a limitation of the firewalls.
With this method the office firewalls do all the routing and IPSec tunnels between each other - no user interaction is required.
I guess what I need is to be able to access two dfifferent networks via VPN at once. It seems that I can only fire up one client at a time, which allows me to only one network.
Secgo's Crypto IP supports this kind of setup. It also supports certificates from files, PKCS#15 smart cards and pkcs#11 tokens. You can even do domain logon over IPsec with it.
Any VPN firewall can handle this, implemented as multiple site to site networks.
As a software client-to-site, many clients allow mulitple tunnels. I've done it on the Forticlient for Fortigate and the Safenet client for NetScreen. Both are capable of connecting to other's firewalls if they are standards based, but not if they do a lot of proprietary stuff, like a recent Cisco box does for example. In general, do *not* expect an interop of software to appliance to work unless you've tested it or know somebody who has. Software ipsec clients are not well governed by standards and most manufacturers have taken at least some liberties in how they implement things -- some have gone completely off into a magical proprietary land where they interop with nothing but provide tremendously nice features. I like the NS and the FG clients relatively well because they try to act as close to site to site as possible -- in fact, with both of these, I've interchanged an appliance endpoint for a software endpoint and back without a single change to the concentrator. But all vpn clients have their own set of pains.... mostly becuase they install on a PC. :-)
The flip side of this, installing more than one ipsec client, is even worse. Don't count on that to work at ALL unless you have direct evidence, and even then be suspicious. Test it all out on all OS combanations before you promise anything to your superiors or users. They'll fight mercilessly in many cases and you end up in an unstable world of hurt from which neither manufacturer will be interested in bailing you out of.
Both the NetScreen Safenet client and the Fortinet Forticlient can do MSGINA logins, in other words, they can be run prior to the windows login for example to authenticate to a remote domain. So I imagine you can tie the token login to that, though I've never tried, but the token part of it is implemented in software on the client so it should be the same whether it's pre- or post- windows login.
I don't know other implementations that can do domain logon over ipsec, using PKCS#15 smart card or PKCS#11 token for the IPsec. And same card or token can be used for domin logon.
Right. So what you need to do is get a client that will connect to both. Which can be tricky. I could, for example, connect the Forticlient to both a NetScreen and a Fortigate at the same time. But, I couldn't connect to a very recent Cisco.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.