VPN through two firewalls.

Why not open up the inbound ports for vpn protocols on the outer firewall so that you can then vpn to the second one ? simon

Wouldn't that give the DMZ access to my LAN?

Depends where you are going to terminate the vpn connection. If the internal firewall can do this then it shouldn't as access from the dmz to lan will only be available for authenticated users. If you wanted to VPN direct into your PC (XP pro supports one inbound VPN connection) then you would need to open the VPN ports inbound on your internal router as well. It would give the DMZ and internet access to the internal machine but only on vpn the VPN ports not full access.

If both firewalls support IPsec then you could do double tunnelling. The outer firewall is configured to protect the DMZ subnet and the inner firewall is set to protect the lan. Thus to connect to the lan you create an IPsec connection to the outer firewall through which you create an IPsec connection to the inner firewall and hence the lan.

If that all sounds like too much work try running Hamachi on any PCs on the LAN you want to talk to and on your PC on the internet.

We have hamachi running but it just scares me a bit, as it simply works 'too well'.. Furthermore, the reason why I can't run it is because you can't specify individual passwords like you can VPN, and hence disable them at your will..

Is this what you're suggesting?

_____ _____

_____ _____ WAN | | DMZ | | LAN | | | | ====================| | | | OUTER tunnel | | | |

---------------------------------------------------- INNER tunnel

---------------------------------------------------- | | | | ====================| | | | | | | | |_____| |_____|

Which is quite cool conceptually. I don't know how it would work from the workstation. I suspect you would need two VPN connections -- one on top of the physical NIC to connect to the outer firewall, then another on top of the first VPN "adapter" to connect to the inner firewall.

This would be hard to set up on each workstation, but I think it would in fact work.

wouldn't it be easier just to have one dynamic tunnel from the client to the outer FW and then a peer to peer static VPN from the outer FW to the inner FW and just get the outer FW to do the routing?

Well that might not have worked.. =/ Essentially, the outer tunnel ends on the first firewall, but there's an inner tunnel that goes through both firewalls..

A Hamachi network can have a password so if you create one network per user then you can disable a user by disabling the network. Exactly how practical this is depends on how many users you have.

I suggested the double tunnel approach because I (mis)understood from a previous reply that you didn't want to creat a permanent link between the two firewalls. I assumed this was because you were worried that if outer firewall is compromised then this would then provide access through your inner firewall over the tunnel.

Yes that's what I'm suggesting and it does work, though whether it can work for you depends on whether you workstation VPN software can handle it.

I'm sorry, but what exactly do you mean by one network per user?

In Hamachi a user can name a network and optionally give it a password. Then the user gives out the name of the network and password to anyone they want to allow to communicate with them. This is a many to one model and does not allow revoking the access of individual users.

So instead of giving the name and password to multiple other users the user creates multiple networks one for each user they want to allow to communicate with them. Since each network has a name&password this provides the same access restrictions as a traditional VPN. The access of an individual user can be revoked by removing/changing the password for the network associated with that user.

By 'network' do you mean 'virtual' network? What happens if I've 10 users trying to log on to the same network?

By 'network' I mean what Hamachi calls a 'network' i.e. its a name and a password and anyone with the name and password can join the group and exchange traffic via Hamachi with anyone else who has succesfully joined the network. If you don't know the name&password then you can't join and hence exchange any traffic. Thus 10 users can only successfully log onto the same network if they all have the password. In your case I'm suggesting you you define a network per user (technically per pair that want to talk) so that it is never possible for more than two users -- you and the other user you give the password to -- to connect to that network. That way, if you want to stop a user being able to connect to you, you just change the password for the 'network' you originally gave them access to (or alternately block them from joining -- I think I saw mention of that feature in Hamachi >= 1.0 or perhaps the premimum version).