Adding VPN Router to Existing Network

**sheider** · 01-16-07, 04:08 PM

We would like to add VPN capability to our existing network. Only 2-5 people will need to connect in remotely to the office from either a home network or a hotel while traveling.

The current router is a Linksys BEFSX41. It accepts two incoming connections now: Terminal Services (to a Windows Server 2003 server) and an FTP server (Gene6FTP). Remote access with Terminal Services will continue even after the VPN is setup.

The phone system was recently switched to VoIP. Employees can bring an office phone home with them, plug it into their router, and still be a part of the office phone system as if they were in the office.

Because the current BEFSX41 router has been configured for 2 incoming connections plus the IP phones I am hesitant to change or replace it. I am confident that I could replace the router (done it many times over the years) with an all-in-one VPN router but I am looking for the safest course of action. Correct me if I am wrong, it seems that adding a separate VPN device to an existing network would be safer than replacing a working router??

I have read a lot of posts in this forum, looked at using the VPN built-in to Windows Server 2003, considered using an old computer for a Linux-based VPN, and am now considering a VPN appliance such as the Linksys RV0 and RVL products.

The simplest approach for us at this point seems to be a VPN appliance. I think either IPSec or SSL would be preferable. Is SSL better than IPSec? The home and traveling employees all have Windows XP Pro and 99% of the time will be behind a router.

My primary question is: How much work is involved in adding a VPN appliance such as the RV0 or RVL in an existing network?

I read much of the RVL200 users guide and it seems that the Domain Controller needs to be updated with additional software. From the example diagrams I was not able to find a scenario that matches our environment.

Any info would be greatly appreciated. Thanks!

Stephen

***YeOldeStonecat*** · 01-17-07, 07:01 AM

My course of action would be to replace the befsx41 with an RV082 or RV016.

They both have built 5x built in licenses for PPTP VPN, and 15x built in licenses for the IPSec based Linksys QuickVPN client. (the 016 is 15..I believe the 082 is also 15...maybe 10). QuickVPN licenses can be added in chunks of 50.

The PPTP VPN is bulletproof and rock solid. The IPSec VPN..you might have to clean up the machines a bit..as like any other IPSec VPN software, it does not like to co-exist with any other IPSec client software on the same PC. And if the tcp stack/winsock has been touched by any malware...needs to be cleaned up.

I've installed quite a few hundred of the sx41 routers..much as I loved them...they're a bit long in the tooth now, an old model, and IMO lacking in features of todays small business routers. I like to do VPN on the hardware level, and for small business networks..it makes sense IMO to have one router/gateway appliance that does the VPN. The RV0 models have so much horsepower too...can handles high loads well.

Adding an RV0 to an existing network is just as easy as it was to add your sx41.

Another alternative..you mention SSL...can always have some fun, take an old PC, and build your own SSL VPN appliance...open source "SSLExplorer"
http://sourceforge.net/projects/sslexplorer/
SSL VPN is becoming popular, no client software needed..just point your web browser to it.

**sheider** · 01-17-07, 07:33 AM

Thanks for the info. I like hearing that the PPTP is 'bulletproof' as the client software is already on all Windows XP computers. I had previously thought that PPTP was not very strong and could be broken over time. I will look into getting an RV0 VPN router.

With the RVL routers using SSL (which uses the browser's SSL), once an employee's username and password are verified, does the browser have to remain open throughout the session? Or, does the browser only establish the SSL VPN connection and then the connection will remain connected until the employee specifically logs out?

With PPTP I believe that an employee can either make a VPN connection to the office without a full domain login (the home computer does not ever have to join the office domain)... or they can make a full/regular domain login from their home computer (computer must already be joined to the domain) just like they do at the office.

Does the home user have the same two remote logins options when using SSL?

If the RV0 and RVL are both within budget and we had to pick one, it seems that the RVL would be the better choice because there is no client software needed. Is this a correct assumption?

Thank you.

Stephen

***YeOldeStonecat*** · 01-17-07, 07:48 AM

Originally Posted by sheider

Thanks for the info. I like hearing that the PPTP is 'bulletproof' as the client software is already on all Windows XP computers. I had previously thought that PPTP was not very strong and could be broken over time. I will look into getting an RV0 VPN router.

I should rephrase this..when I say "bulletproof"..I mean, it works reliably.

For security...yes PPTP is considered less secure. However...IMO, consider two things.
*How you're using it...are you a part time connection? Dial in for an hour or two from home, or from the hotel, to check things? This means "dynamic"..you're brief, always coming from a different IP address, no 24x7 tunnel running. IMO PPTP is fine for this.
*What are you running through this tunnel? Do you VPN in so you can remote desktop to a terminal server or to your workstation? In that case..your remote desktop connection itself is secured. So PPTP IMO is fine for that. However..say you're transmitting information such as health care records or something...well, in that case, you need to follow stricter guidelines. For example...a large health care client of mine..they have nurses that do home visits. When they get home..they VPN into the office..and their software "synchs" with their servers to replicate. I'd never allow this over just PPTP, IPSec is a must for this situation.

The client software already comes with the routers...so doesn't affect the decision cost-wise. The QuickVPN client is a free download.

I have not deployed the RVL series yet...so I have no experience with this unit...I'm waiting for it to mature a bit more.

**sheider** · 01-17-07, 09:17 AM

In reviewing the RV082 and RV016 it looks like the RV016 is what we need because it has the ability to define Classes of Service - page 38 of user guide "IP Group (By Users)". This allows greater bandwidth for specific IPs, in our case our IP phone system.

A quick glance at buy.com has the RV082 at $300 and the RV016 at about $700. Just so I understand, the RV082 cannot be configured to allow IP phone traffic greater bandwidth (we only have 1 ISP)?

Thank you.

Stephen

***YeOldeStonecat*** · 01-17-07, 09:28 AM

That's a little steep for the RV016...granted I purchase at wholesale prices..but I don't resell them for anything near that. 7 hundge...ouch! Keep shopping, you can find for low to mid 4's.

They do have some good QoS features..but I've not had to fiddle with that, at default settings it's been fine for IP telephone the couple of times I've used it. 533MHz processor..she has some horsepower.

If you do get an RV0...make sure you upgrade the firmware to the latest..in August they released a major firmware overhaul on a new platform, and have since had a few minor upgrades.