VPN Woes

Date August 25, 2008

Have I told you about my VPN problems? No? Well, sit down a spell and have a listen.

When it comes to my company, we've got two types of VPNs, really. There are the site-to-site VPNs, which connect, well, sites. My office's router (a cluster of Juniper Netscreen 5GTs) have VPNs set up to each of the other sites. It's sort of a mesh configuration, since every site has every other site connected via VPN policy, but with only a few locations, this isn't too unbearable. I'd rather have an MPLS network, but hey, I take what I can get.

The real problem becomes user VPNs. See, we've got a primary site and a secondary site, and something like 15 users who each need to be able to connect to both locations. This means that I've got to maintain 30 accounts on the firewalls, AND 15 user machines which connect up. Neither is fun, but the user machines are the worst part.

We use Juniper Netscreens for the VPNs, and our Mac users typically use VPN Tracker or IPSecuritas. VPN Tracker is easy to set up , and commercial. IPSecuritas is free, but much harder to configure. Both do work, however, which makes them better off than our Windows users. Our Windows users are burdened with Netscreen Remote, and an old version, at that. It's just generally bad. It gets confused a lot, and requires reboots to clear the IP configuration so that traffic actually reaches the VPN. Sometimes it will die a slow death; the other day I had a user who could connect to most of the resources on the VPN...then they could only connect to a couple. By the end, the only thing they could reach was the jabber server, over which they were talking to me. A reboot fixed the problem, of course. Lots of times, we'll have people who can get email, can ping everything, but can't SSH into anything.

To fix these strange, strange issues, I'm trying another solution: an SSL vpn.

You might know that IPSec operates over UDP port 500, and requires installed software to be configured beforehand. Basically, an SSL vpn differs from an IPSec VPN by transmitting the traffic over encrypted web-traffic, to port 443 on the VPN device. This allows the client to connect to the VPN merely by visiting a webpage and authenticating themselves. At that point, a java or activeX program is downloaded and installed which acts as a pre-configured VPN client which transmits internal-destined traffic over the SSL tunnel. Anyone who tells you this is a "clientless" operation is lying. The client is just downloaded on the fly.

Anyway, the device I'm going to be using is the Netgear Dual Wan Gigabit SSL VPN. I honestly have no idea if it will work or not, but I'll be sure to let you know.

I'll probably be testing it later this week, so the update on it should come next week.

  • Anonymous

    how come you haven't tried openvpn? it's been working for me solidly for the past two years...

  • Matt

    Mostly the (probably irrational) disinclination to put a linux machine straddling the line between the outside network and my precious, precious inner network.

    I understand that I can protect the machine thoroughly with a variety of mechanisms designed to prevent intrusion, but I don't feel any better about it, and the ability to call and get support from someone else if necessary.

    When I worked at the ISP, I'd have had no problem (and in fact, didn't) with select machines being dual homed between the two networks, but in my case now, I'm dealing with financial data, and am unwilling to take that chance.

  • ernieoporto

    We found Netscreen Remote to be terrible after using it for two years. We went to the Juniper SA-2000 SSL VPN after that and never looked back. We used Secure Computing Silver SafeWord 2000 keyfob tokens for authenticating against Safeword Premier Access RADIUS and AD. It enforces all sorts of system policies such as Antivirus and Domain membership.

  • Matt

    @ernieoporto

    That sounds like a nice solution! If you don't mind my asking, what was the ballpark price for something like that?

    I'm only supporting around 20 users at the moment, so dropping $5k on "real" SSL VPN box isn't really cost effective yet, but if the number of users then I might be able to swing it.

  • Anonymous

    wimp! heheh...

    openbsd. armed to the teeth. rock solid and secure. this ain't no linux distro.

    i've got a bunch of sensitive info behind my firewall as well. gun owners' data. now if that's not scary enough....

  • Anonymous

    openbsd with openvpn , serving around 100 users as an email , intranet and admin gateway , running as a guest on a vmware ESXi powered by PE1750 with 512mb of ram.

  • Dan C

    Likewise, OpenVPN on OpenBSD. We chain ours to our existing PKI structure.

    You'll wonder why you wasted so much of your life on IPsec and ISAKMP.

  • Graffiti Knight

    I just switched us in the past two months or so from a Sonicwall 2040 IPSec VPN to a Juniper SA-2500 SSL VPN. The reliability is so much better with SSL than IPSec. On the SonicWALL I'd have users getting disconnected every 15 minutes in some cases, which just kills productivity. I've used the Juniper for 8 hours straight and not been disconnected. The terminal services sessions seem much quicker. It is a bit more costly than your Netgear though (~$8000 for 25 users, including the support contracts).

  • Matt

    @Graffiti_Knight

    Nice! I looked at those Juniper SSL VPN solutions, and they looked sweet, there's just no way I could get that kind of dough. My Netgear only does 10 users at a time, but there are only 14 people in the company right now anyway, so I don't foresee that being a problem soon.