View Full Version : Vpn routers ...so many choices...need your input

12-25-04, 12:25 PM
Hello guys. I have a new client who's requirement is VPN access. He has a main office with business DSL link there. He will have 3 restaurants and maybe more in the future. Those restaurants will have dsl as well, every night people at each restaurant will have to connect to the main office and upload data. He does not want to purchase vpn-capable routers for those restaurnts...at least not yet. He simply wants those guys to launch a vpn client and connect to the main office. Restaurnt pc's will use built-in xp vpn client. Restaurant will probably be using Linksys or some other $100 routers. So here comes my question. I am not very experienced in setting up vpn so i've been doing a lot of reading of different vpn capable routers. I want to recommend him a reliable/robust router that he will be able to continue utilize in the future as the number of restaurnt increases. So i've looked at these routers: Cisco-Pix 500, Soho 97, and 837. CyberGuard-SG530. SonicWall-twz. I've been inpressed by the SG530 feature set (http://www.cyberguard.com/products/firewall/SG_Family/SG530.html?lang=de_EN), but i am not sure how reliable their products are. Some of you guys are using Sonicwall products, how do you like their stability, can i use built-in xp l2tp over ipsec clients? Does anybody have experience with CyberGuard products? I know Cisco provides very good products, but i am a little consirned with the price of their vpn client.

Please share your experience with vpn routers i mentioned above, as i want to provide a reliable solution for around $400 (us).

12-27-04, 09:40 AM
You're looking at the Sonicwalls...and that's my vote! :thumb:

Satellite office will be on DSL also, as well as main office...so have a Sonicwall at each location, and have them do a "router to router VPN"...satellites tie into the central office. So basically you have a WAN (wide area network) over DSL.

Performance, security, and stability will be top notch. If you can, get the highest upload package you can get for the "central office" DSL. Most standard DSL accounts are 1500 down, 128 up. If you have 3x satellite offices, you'll be splitting up that 128 into 3x slices, and that VPN tunnel now becomes a 42K pipe at best. Up your central office DSL to something like a 6000/384 account if your ISP provides it, and now...divide that upload by 3...if you have 3x satellites on a 1500/128 account, your central office upload will be 384/3=128...a nice 128K VPN tunnel.

The full time "router to router" VPN tunnel is the way to go. Constantly on, nice and reliable. Highly recommend that over the software VPN client method.

12-27-04, 10:38 AM
YeOldeStonecat i was hoping you would reply :) as i see a lot of your posts. The main office will be on the SDSL 1.5mb up and 1.5mb down ...so it's going to be a nice uplink pipe. If i do convince the client to get sonicwalls for the remote sites what models do you recommend for the main office and for the remote locations. Can the sonicwall be behind another NAT capable device? The reason i am asking is because he's office might be in the building where they have a T1 provided to all the offices. So i guess the feature i am looking for is "NAT Traversal" ? If yes..do you know what ports will have to be forwarded to the sonicawall from the main router?

Thank you so much for your feedback.

12-27-04, 10:51 AM
Can the sonicwall be behind another NAT capable device? The reason i am asking is because he's office might be in the building where they have a T1 provided to all the offices. So i guess the feature i am looking for is "NAT Traversal" ? If yes..do you know what ports will have to be forwarded to the sonicawall from the main router?

That could get sticky...as now we don't have 100% control of everything, the existing equipment in place for that frac T is unknown, the router, firmware, what they have in place, etc. I don't have an answer for you, as I've not had to cross this bridge myself, all my Sonicwall installs have been directly to DSL. Just this weekend someone posted how they have a Sonicwall that was tied into another with a router to router VPN, then they moved the Sonicwall behind a Linksys NAT router...and the VPN broke. Even though they DMZ's the Sonicwall, still didn't work. That those humble little Linksys routers have been very compatible to me for VPN stuff. The Sonicwall routers come with an option to use a special software client of theirs, the "Global VPN Client", which is what I use to manage a few clients of mine.

12-27-04, 05:37 PM
Cool..first quesiton: do you have to pay for this Global vpn client? Second question: if my roadwarrions/remote offices are behind some sort of NAT device ..say a Linksys router, they will be able to use the client and connect to the sonicwall without any problems right? I've read somewhere that some vpn routers do not support nat traversal ...but i don't see how roadwarriors can get a static ip if they are in a hotel or something of that nature. Do you know what the Aggresive mode mean ? Some router vendor claim that their vpn router support this. Also i am thinking of thinkering with OpenSwan (open source ipsec vpn for linux), do you have any experience with that?

Once again..thank you so much for taking the time to share your experience.

12-27-04, 07:11 PM
I've not had a problem with the Sonicwall Global VPN client behind the various routers I've used at home, and at the office. Linksys, Netgear, Netopia, Nexland, Symantec, it's worked fine behind NAT, even before the days of UPnP (NAT Traversal). Long as the routers permit VPN passthrough, which most do without problems. Routers deal with allowing VPN passthrough rather than dealing with it through UPnP.

I'm rusty on current costs, but yes you pay per Global VPN client, but I believe it comes with 1x allowed connection out of the box.

12-31-04, 05:26 PM
Last question man. What models do you use for your main office and for your sattelite locations? I will need to get something that is capable of handling 25 concurrent tunnels. Also how do you handle name resolution? Do you setup a wins server or simply hardcode names in lmhosts file ?


01-01-05, 07:07 AM
Most of mine were done a few years ago with the SOHO3 models, which have been replaced by the TZW models. I've not had to do one with 25 concurrent clients...but their site has a product guide.

For name resolution....do you have a server running at the mothership? Is it hopefully a 2K/2K3 server running AD? If so, simply have its IP handed out as the DNS server, long as you have 2K/XP clients. 2K and higher keeps everything nice 'n simple with DNS.

If you have some old Win9X boxes kicking around...well, you'll want WINS also running and handed out, or as a poor mans WINS approach, edit the hosts files.

01-13-05, 09:16 PM
Hey man, i am going to bug you one more time. I am leaning toward getting TZ 170. I just wanted to ask you a question about this: Looks like if you are getting a 10 node license you are not getting any vpn client sessions unless you upgarade. So if i read this correctly with a 10 node license i can only do 2 Site-to Site and maximum 5 (Road Warrior) sessions? So let's say i get a 10 node license to get started, this number 10 means that i can only have 10 computers on my lan behind the TZ 170 ??? It will not give out more than 10 DHCP leases? I looked at the specs of TZ 170 and looks like it supports L2TP over IPSEC, so maybe i could use built-in WInXP vpn client? Have you tried that? Any idea how TZ 170 S is different from the regular TZ 170.

Thanks man

# PSec VPN, compatible with other IPSec-compliant VPN gateways
# Bundled VPN Client Sessions

* Optional Upgrade with 10 node TZ 170 (Maximum Sessions: 5)
* 1 with 25 node TZ 170 (Maximum Sessions: 50)
* 1 with Unrestricted node TZ 170 (Maximum Sessions: 50)

# Site-to-Site VPN Policies

* 2 with 10 node TZ 170
* 10 with 25 node TZ 170
* 10 with Unrestricted node TZ 170

# 3DES and AES Performance: 30+ Mbps