Tag Archives: vpn

Update on the VPN Issue

How appropriate was yesterday’s blog entry? After writing it, I left for work. On my way to work, I got a call about the VPN not working for one of my users.

I spent probably two hours troubleshooting her previously-working IPsec tunnel to no avail. I finally gave up and told her I had to get off the phone to think about it. After some contemplation, I decided that I’d go for the gold and break out the new SSL VPN a bit early.

Of course, the only problem was that A) I had never touched one before, and B) The documentation was pretty meagre.

I hoped for the best as I pulled the device out of the box, then slipped the plastic bag from the chassis. It is a testament to how easy to use that netgear is that I had my user up on the SSL VPN and working within 2 hours. And it worked the first time I tried it with her.

If there’s any kind of interest in a formal review of the Netgear SSL VPN device, I’ll be happy to type it out, but in a nutshell, if you’re dealing with a small office of users, and you want a firewall with VPN capabilities, that is the one to get.

VPN Woes

Have I told you about my VPN problems? No? Well, sit down a spell and have a listen.

When it comes to my company, we’ve got two types of VPNs, really. There are the site-to-site VPNs, which connect, well, sites. My office’s router (a cluster of Juniper Netscreen 5GTs) have VPNs set up to each of the other sites. It’s sort of a mesh configuration, since every site has every other site connected via VPN policy, but with only a few locations, this isn’t too unbearable. I’d rather have an MPLS network, but hey, I take what I can get.

The real problem becomes user VPNs. See, we’ve got a primary site and a secondary site, and something like 15 users who each need to be able to connect to both locations. This means that I’ve got to maintain 30 accounts on the firewalls, AND 15 user machines which connect up. Neither is fun, but the user machines are the worst part.

We use Juniper Netscreens for the VPNs, and our Mac users typically use VPN Tracker or IPSecuritas. VPN Tracker is easy to set up , and commercial. IPSecuritas is free, but much harder to configure. Both do work, however, which makes them better off than our Windows users. Our Windows users are burdened with Netscreen Remote, and an old version, at that. It’s just generally bad. It gets confused a lot, and requires reboots to clear the IP configuration so that traffic actually reaches the VPN. Sometimes it will die a slow death; the other day I had a user who could connect to most of the resources on the VPN…then they could only connect to a couple. By the end, the only thing they could reach was the jabber server, over which they were talking to me. A reboot fixed the problem, of course. Lots of times, we’ll have people who can get email, can ping everything, but can’t SSH into anything.

To fix these strange, strange issues, I’m trying another solution: an SSL vpn.

You might know that IPSec operates over UDP port 500, and requires installed software to be configured beforehand. Basically, an SSL vpn differs from an IPSec VPN by transmitting the traffic over encrypted web-traffic, to port 443 on the VPN device. This allows the client to connect to the VPN merely by visiting a webpage and authenticating themselves. At that point, a java or activeX program is downloaded and installed which acts as a pre-configured VPN client which transmits internal-destined traffic over the SSL tunnel. Anyone who tells you this is a “clientless” operation is lying. The client is just downloaded on the fly.

Anyway, the device I’m going to be using is the Netgear Dual Wan Gigabit SSL VPN. I honestly have no idea if it will work or not, but I’ll be sure to let you know.

I’ll probably be testing it later this week, so the update on it should come next week.