VPN Solutions for Small/Medium Businesses?

artbeall asks: "I work for a small company and we are looking at various commercial VPN solutions, however many seem to be too expensive for us. I am interested in what solutions other small/medium size companies are using for their VPN. Of course, we want a SECURE system that is compatible with common network gear like Cisco as well as being able to run the VPN client on Linux, Solaris, and Windows. Does anyone have suggestions or ideas?"

One word: PIX

Depending on what you mean by a 'small' company, I would look into using a Cisco PIX 506E. On CDW right now, they're ~$830. It sounds like it would meet all of your needs. I've used the PIX 506E for several smaller sites and it 'just works.'

Re:One word: PIX

Yeah, either that, or you could tell your boss you need a Pix, buy the same thing, with the same innards, by the same company [cdw.com], and buy yourself a nice 24" LCD with the leftover $700.

30 concurrant VPN connections. Dual internet ports that can function as failover or load balancing. Built in 4-pt switch. $180. That's small business.

~Will

Try Hamachi.

I've been trying Hamachi [hamachi.cc]. It seems to work as advertised. It makes a connection between a computer behind a hardware and software firewall with a cable ISP and another computer behind a hardware and software firewall with a DSL ISP. Both hardware firewalls have NAT (Network Address Translation. I know not everyone who reads Slashdot works with this.)

However, the cable ISP is Comcast. Comcast, in this area, seems to throttle or stop anything besides HTTP traffic.

Openvpn

Why not use openvpn ? We run this on Linux, Openbsd and Windows.

Re:OpenVPN behind a NAT?

Bollocks.

It works fine behind a NAT in either UDP or TCP mode. Have always worked. I run it for road warrior access for a 3rd year now after switching over from an IPSEC/PPTP solution.

If you use OpenVPN 2.0+ you can push options and manage everything from the server just like on a commercial VPN product. The only missing bit is the firewall management so you need to get a decent third party firewall.

A measly 320£ worth Via C3 running OpenVPN can deliver 200+ clients with an aggregate client bandwidth of 50MBit+. The comparable Cisco device is a higher end PIX or a 3000 series concentrator which costs 5 times that.

In addition to that with OpenVPN you can build a proper VPN infrastructure with failover, dynamic load balancing between tunnels, balancing between links, DDNS targets on either end, QoS to allow VOIP links in that, etc. With most IPSEC based solutions (including Cisco) you cannot get even close to that.

IPCOP

Hey. We run a medium sized ISP out of wilmington, delaware and we have hads GREAT luck using IPCOP and Linksys BEFSX41 endpoints. The linksys routers are easy to setup and configure and they can be bought cheaply on ebay or any staples or compusa. IPCOP is completely linux based , The setup is more idiot proof then a windows install, and it has a web based admin which rivals standard stand-alone routers. Ipcop can run on tons of hardware configurations. We personally run it with 5 Network cards and it handles the VAST MAJORITY OUR OUR ROUTING needs. did i mention ipcop is free? Give it a try.

Re: IPCOP -- I Second That

I have used IPCop for many, many months. With
the OpenVPN addon, it makes a sweet RoadWarrior
setup. The OpenVPN GUI is even easy enough for
our executives to use.

For us and our 30-something employees, it cost
us nothing to put IPCop online. It ran for a
year on a P-III/700mHz/256M Dell. We recently
upgraded the RAM to 768M so we could make better
use of the Squid cache.

You can get an IPCop server online with VPN in
under an hour. As long as you have a computer
in the spare parts closet, IPCop is far less
expensive than any other solution.

Matt

PPTP

Since its a small company, I assume you use a windows2000 or 2003 domain. Use an OpenBSD box that redirects PPTP connections to the windows server.

Sure there are superior systems but they dont necessarily 'fit' into the small business wintel setup. If youre running an all Linux network, you wouldnt be asking this question and you sure as hell wouldnt look around for commercial offerings.

If your users are OK with typing in an extra password, use OpenBSD's own SSH or ipsec based VPN, and L2TP on the client windows side.

Cisco VPN 3000

At work (~90 employees...I guess that would qualify as medium-sized??) we use a Cisco VPN 3000 Concentrator. It's been rock-solid for us for two years now, and I'd highly recommend it. If you want to go the VPN-client route, cisco has official clients for Mac, Windows and Linux, but the box is also compatible with the PPTP vpn clients that come with most modern operating systems and it's also fully IPsec compatible. So...for example, if you wanted to, you could set up a linux gateway at home that would connect to your work VPN and establish a LANLAN VPN link.

If this proves to be too expensive, you ought to look ag OpenVPN. It's quite stable at this point, and they have clients for Windows, Mac and Linux as well. You'll have to have some amount of knowledge of linux networking/firewalling to get it set up right, but there's plenty of documentation out there to guide you.

DIY VPN

I've set up a PPTP VPN using a Ubuntu 5.10 server and PoPToP. All you need is to port forward the PPTP port to the set-up server.

Windows has the client native to the system. Linux can compile PPP and the PPTP client, and w/kernel 2.6.15+ you don't need to patch the kernel to get MPPE encrypton/compression. Solaris, alas, needs some patching. I googled this:

http://mcarpenter.free.fr/Dev/pptp.php [mcarpenter.free.fr]

All works fairly well.

Poptop

If you want good integration with windows (read: PPTP), and want to keep it on a nice cheap *nix box, try Poptop [poptop.org]. Runs on most any *nix, entirely compatible with the builtin PPTP support in recent versions of windows. I've been running it for my own purposes (admittedly not on a "small business" scale, only one or two users) for years on a modest linux box and it hasnt given me any trouble connecting from WinXP or linux clients.

Windows Server 2003?

I'm not sure if you are using Windows Server 2003 on site, but if you have a license to it then Microsoft already has a VPN solution. See this how-to:
http://blog.hishamrana.com/2006/04/07/how-to-windo ws-2003-vpn-server/ [hishamrana.com]

OpenVPN

Go to openvpn.net. It's very straightforward to get a multiuser openvpn server up, using pre-shared keys or certificates. It's free, it's simple, it's multiplatform, and it's sufficiently secure for business purposes.

(However, if by "compatible with common network gear" you mean you need to host a VPN endpoint on a Cisco box, then OpenVPN probably won't work. If you can pass the connection through a firewall to a DMZ server, though, it should work fine.)

If you want a completely free solution, use OpenVPN hosted on an OpenBSD (or other free OS) firewall.

OpenVPN rawks the Casbah

I really like OpenVPN [openvpn.net]. It works as a client or a server on Windows, Linux, FreeBSD, Mac OS X, and other operating systems, and it is pretty easy to install, configure, and run. I just followed the how-to [openvpn.net]. It operates over UDP or TCP, you can tunnel it through HTTP or SOCKS proxies, and the server can use any cipher or hash available in the OpenSSL library. PPTP is ubiquitous, but it has serious flaws [schneier.com]. IPSEC is supposed to be standard, but interoperability is a configuration nightmare (especially if you try to do something complex, like use X.509 certificates, or something non-standard, like authenticate users against RADIUS). Firewall/NAT traversal can present serious challenges in some cases as well, as some firewalls can't handle non-TCP/UDP protocols. CIPE requires special support in the operating system kernel [sites.inka.de] and only works on Linux and Windows, and tunneling TCP over TCP (when running PPP over SSH) is a really bad idea [sites.inka.de].

I'm using OpenVPN to tie routers running OpenWRT (Linux) [openwrt.org], routers running FreeBSD, and workstations/laptops running Windows, FreeBSD, and Mac OS X together. It works flawlessly.

My Experience

Maybe I'm just an idiot, but OpenVPN was difficult to sort out in the beginning. There really needs to be a quick setup guide that'll get you running in under 10 minutes. If not that, then maybe a GUI solution that's better than what currently is in place, especially for Windows installations. If this was done, I can imagine that OpenVPN would gain much more wide acceptance.

I've heard people have much success with Linksys VPN routers. But Cisco VPNs will always be a sure bet.

Re:My Experience

I have very recently (last week) set up an OpenVPN service for one of my clients on an Ubuntu box.

http://www.itsatechworld.com/2006/01/29/how-to-con figure-openvpn/ [itsatechworld.com]

That site has a very easy to understand howto with plenty of client and server examples. After a day of trawling through the OpenVPN documents, this howto was a breath of fresh air.

Astaro

I have definately become a fan of Astaro [astaro.com]. It is not free, but in my opinion very reasonable, and worth the cost in time savings. It works with the built-in windows client, and the thing pretty much installs and sets itself up. They have a free 30-day full featured demo, and the entire thing is free for "home use".

Did I mention I have become a huge fan? or was it already obvious?

not enough info

you don't tell us enough about your proposed VPN topology...

still, OpenVPN can do it all, so I vote for that.

*shrug*

Small company? Then either openswan or PPTP on a commodity server. No need to take sledgehammers to a cockroach.

I usually don't cry dupe, but....

DUPE.

http://slashdot.org/comments.pl?sid=182998&cid=151 23283 [slashdot.org]

I know, I know, that one said "distributed". Sheesh. My answer remains the same. OpenVPN, like 90% of the answers here. :P

I'm not being cynical. I'm just tired. :D

M$oft.

MS ISA Server.

HEY I'm just providing an alternative.

I use a Netscreen25 and Netgear ProSafe FVL328

I'm the systems admin (domain admin. donning asbestos suit.) for a small/medium busines in New Orleans. We use one Netscreen25 [netscreen.com] in our main office downtown. That gives us granular control over individual users' security policies if desired, but I'm in the process of moving them all to a single policy to ease administration. The box can maintain 125 concurent tunnels. It can do quite a bit of other craziness as well, but I haven't worked here long enough to get deep into it. Too much other stuff to do. Not absolutely certain about the cross-platform client, so you can look that up yourself. ;)

In addition to the individual user VPNs, the Netscreen maintains persistant tunnels to two remote sites. They're equipped with Netgear ProSafe FVL328 [netgear.com] routers. Less capable with low(er) throughput, but the branch end has to deal with a whole lot less traffic. The NS downtown maintains security with its lesser peers, too.

Hamachi

Hamachi is pretty much what you're looking for.

Or if you like to stuff around, OpenVPN.

Linksys has some good products...

I was just looking for something to do this same thing. I haven't solved the problem yet, but Netgear and Linksys have some inexpensive stuff. I ordered the Linksys RV042 and it should arrive today. I'm anxiously awaiting setting it up and testing it because of the Dual WAN functionality. My second internet connection should arrive on Thursday :)

http://www.netgear.com/products/business/prod_vpnr outer_wired_security_sb.php [netgear.com]
http://www.linksys.com/servlet/Satellite?c=L_Produ ct_C1&childpagename=US%2FLayout&cid=1117775454480& pagename=Linksys%2FCommon%2FVisitorWrapper [linksys.com]

repost

see also http://ask.slashdot.org/article.pl?sid=06/04/13/17 16227 [slashdot.org]

m0n0wall

I setup an IBM x300 server and m0n0wall [m0n0.ch] as my router and it has worked fantastically. It supports IPSec tunnels, as well as PPTP connections. I have two IPSec tunnels to remote sites which both have PIX routers (501 and 506E), as well as connections from remote PPTP clients which is easy to setup and I have never had any problems. Highly recommended for anyone looking for both a simple and powerful solution.

For cheap try SSL Explorer

You might want to consider the Java based SSL Explorer [3sp.com] as a possibility. No client side code is required, just a browser and one hole punched through the firewall to the server.

LW

Is it just me...

Or is this just a stupid question? Every firewall product I have seen in the past 5 years (I have used NetScreen, Watchguard, Fortinet, Cisco PIX and Cisco ASA units) has IPSec VPN capability built in. IPSec is a standard and is supported in a wide variety of clients available on just about every operating system. Being a standard it is also compatible with other firewall/VPN vendors' implementations of IPSec. Assuming that your small/medium business has a firewall, just use what it has built in. License copies of their client software for your PCs, or use a free/OSS alternative. It's not rocket science.

My small business (300 users) has a Fortigate 400 used for our Internet connection (a pair of T1 circuits). We run Fortinet's VPN client for about a dozen remote workers. The same device also manages persistent VPNs with about a half-dozen business partner companies. Performance isn't an issue. Before we had the Fortigate we were using NetScreens (now Juniper Networks I believe), and we were still using the NetScreen IPSec clients for remote workers 2 years after we switched to the Fortigate firewall. IPSec is pretty much IPSec, and they all talk to each other.

The only thing that I would add to what has been said here is that if I were to buy a Cisco device I would go with an ASA instead of a PIX. You usually get more features for the same or less money with an ASA.

IPCop works

I was asked by my boss to evaluate VPN between the red interfaces of two IPCop [ipcop.org] machines. Talk about simple. I don't know exactly how well it scales, but it can't be horrible. Today, one of my tasks is find out if and how well it works with m0n0wall and in roadwarrior configuration.

Not enough information

There isn't enough information provided, but it sounds like a pretty small operation and simplistic setup sounds like what you need.

A main office with several small satellite offices (or small retail stores) I would suggest SonicWall product. (or NetScreen) Small remote offices can use the small single point VPN TZ series devices that allows a single site-to-site VPN and the main office can use a larger product like the 2040 or the 5060 with support I beleive 50 and 2000 VPN sessions respectively. (with several models in between) There are many products out there that will work. SonicWall's products are very easy to use and arn't that expensive.

If you are just looking for personal VPNs to the office network, Sonicwall also offers VPN software that you can install on laptops/Desktops. There VPN is IPSec so it will support any IPSec client (Linux, etc) without the need to purchase software. There software is very easy to use. Thats why I brought it up.

IPCop + OpenVPN

Secure VPN goodness in ten easy steps: IPCOP-OpenVPN HOWTO [thinkhole.org].

Free, it works great under both Windows and Linux, and you don't need to be a computer whiz to setup your laptop to connect to it. Good stuff.

Home office users, NATs, and multiple users

One of the big issues with VPN technologies is the NAT routers that protect home offices. The corporate office side is easy, just punch the appropriate holes in the firewall and the remote clients can easily connect to the network.

Where things fall apart is that you have multiple laptop users who are behind their own NAT routers at their homes. You need to use VPN software on the laptops (not on the NAT routers) because you only want their work machines connecting in. That's easy enough, until you run into a situation where you have 2 or 3 users who get together and collaborate frequently behind a single NAT router.

It seems like PPTP (maybe SSL?) was better suited for situations where you might have multiple users VPN'ing in from the same source IP address (hidden behind a NAT router, such as an ad-hoc meeting in someone's house or multiple users meeting in a coffee shop). All of my readings on IPSec indicated that IPSec can't handle that particular usage style.

snapgears!

Cyberguard bought snapgear, but they still sell the same products. These are great little boxes that we used to set up a 7 office network across the state of alabama across whatever networks were cheapest (cable, dsl, T1)

We had 530s in each of the hub offices and a 575 in the main office. (Still have the 575, have since closed all the branches) I still have the 530s and I refuse to sell them because they are such nice little boxes. I'm going to take one home and make it vpn back to here.

Site to Site + Remote Access

We have 2 vpn methods. Our main vpn is a hub and spoke topology where our branch offices all connect into our corporate hq. What we use in this case are cheap off the shelf Netgear routers + either dsl, cable, or T-1 connections to our corporate hq which has 3 T-1 lines bonded. The branch routers are FVS318v3 (the v3 is very important much improved processor + ssl for remote mgmt). Our hq uses a FVX538 which has fail-over and load balancing capabilities. I know some do not like Netgear but we have been using this solution for 5+ years and have had very little down time. Plus the routers are cheap so you can keep a hot spare on hand. Now our other solution for out of office work is SSL Explorer which is an open source ssl vpn. It works pretty good and if you want AD authentication you can purchase the "xtra" add on. Hope this helps!

I have been struggling with this for a month!!

I have a very small business with three locations (one is my home). The ISP connection varies some are Comcast some are Verizon residential DSL.

As I see it I have three problems. 1. The IP address will be dynamic from the ISP's and 2. Most of the PC's are running Win XP home 3. Would prefer a no cost solution

I would like to be able to remote desktop (ie contral/access) any pc from any location.

I have successfully installed http://hamachi.cc/ [hamachi.cc] Hamachi to address the dynamic IP issue but am working on the XP Home issue (ie. RD server only in XP Pro). I recently downloaded http://ultravnc.sourceforge.net/ [sourceforge.net] UltraVNC but I'm lost after the installation. What do you application do you use to start the desktop sharing.

Most of the PC's are behind a Linksys router some are behind a Linksys router then linksys wireless router.

I've played with dyndns.org and no

I'm not a CCNE but I'm no schlub any help would be appreciated.

racoon ISAKMP daemon

racoon is a very good Internet Security Association Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) daemon. It is used to auto-negotiate keys for IPsec sessions.

At work we have three VPN concentrators built using Linux and racoon. Two are configured as normal tunnel-mode concentrators, using fully-qualified usernames on the endpoints for authentication. One of these is for employees, the other is for customers. We are able to use any commodity VPN endpoint device which supports IKE identifiers (for example, Netgear FVS114).

We also have a third concentrator which is configured to use Xauth and /etc/passwd for authentication. This concentrator allows the Cisco VPN Client software to connect into the network for Road Warrior style access (also does much better with NAT traversal than tunnel-mode IPsec).

It's a pretty kick ass setup, actually. In particular, you don't have to have a Linux/BSD box or other PC at every endpoint location, just lil' IPsec-enabled gateways/routers (Netgear FVS114 is the best I've found so far, even other Netgears like FVS318 devices suck or are broken).

pfSense

Check out http://pfsense.org/ [pfsense.org]. FreeBSD 6.x based, uses pf packet filter, supports multiple VPN protocols, runs on embedded hardware as well.

Running it now on Soekris Net-4801 device http://soekris.com/ [soekris.com]. Sweet. Smooth.

You can also look at Sonicwall

You don't state how many users you have, whether you're using the VPN for site to site or user access, but: I just read about the Sonicwall SSL-VPN 200. Since its SSL it doesn't need a client installed on your users machines and is much easier to configure than the Cisco. For Windows users, there's even an applet that allows TCP/IP applcications to connect to their servers. I've not tested it, but for $600 bucks it's not to bad a deal and Sonicwall has always made good hardware. If you already have a firewall, this could be a good bet. We're using a low end Cisco PIX - the 510 with the Cisco VPN client. It works too. We generally only have one or two people connecting through the VPN at any one time.

OpenBSD is made for stuff exactly like this

OpenBSD vpn(8) man page [openbsd.org]
Zero to IPSec in 4 minutes [securityfocus.com]
OpenBSD IPSec with Cisco HOWTO (slightly old, but may still be useful to you as a pointer in the right direction) [wilbury.sk]
And don't forget to check out the mailing list archives [theaimsgroup.com]

I use OpenBSD on my Sokeris firewalls and they run very well indeed.

Mac OS X Server

Has easy-to-use built-in PPTP and L2TP VPN that works with Windows, Mac OS X and Linux clients. It also includes nice goodies like Apache, Samba, Directory Services, Jabber Server, etc.

Of course, you need a Macintosh to run it. I would suggest a Xserve G5. They're very nice. But any 'ol Power Mac or Dual Core will do...

OpenSSH

as of version 4.3 (released a few months ago), OpenSSH can now tunnel _any_ arbitrary traffic (including layer 2 traffic) over SSH. The syntax is about as simple as traditional SSH port forwarding, although the developers note that it may not be suitable for latency-sensitive apps (e.g. VoIP) due to the crypto overhead.

How small?

Are we talking 5-10 man offices, over a DSL line?

Get a WRT54G. Run DD-WRT. Use either the PPTP server or OpenVPN.

Done and done.

Of course, your WRT54G won't handle more than 10 users or so; you'll want to switch to a dedicated box or router for that. But you can't beat it in terms of cost/avaliability-- you can get this sucker up and running in 5 minutes flat, pick one up from bestbuy for ~$50, and there are no moving parts whatsoever.

For a very small office, its great. For a series of small offices in a larger company, its okay too. We use this sort of segmented VPN in our offices because of bandwidth reasons; we don't have enough uplink at any given location to really setup a better solution, and we can't financially justify purchasing more than 1 Mbit/s of uplink anywhere.

pfSense

pfSense [pfsense.org], now in late beta, is the solution.
It's FreeBSD 6.1+OpenBSD's pf + ALQ-Traffic-Shaper+IPSEC+PPTP + CARP + lot's more stuff all wrapped into an easy to understand interface.
Forget about all the other firewall "GUIs" (or lame attempts at GUIs) you've seen before, especially for the unreadable, ever-changing Linux-firewall engines.
pfSense has the performance, the feature-set, the reliability and the usability to be a real Checkpoint- and Netscreen-killer.

One quote from the mailing-list says it all: "I tested all the firewalls and GUIs that are available on freshmeat - and pfSense was the only one that didn't suck".

Citrix Access Gateway

Citrix bought a company called Net6 a couple of years ago. Net6 made an SSL VPN "appliance", which runs a hardened Linux OS. Citrix rebranding it as the "Citrix Access Gateway", or CAG.

The 1st iteration was not so good because they rushed the rebranding and integration stuff. The 2nd and 3rd iterations were OK.

The latest revision is quite good. It supports around 2000 concurrent users, has easy to use yet powerful access controls and integrates nicely with Citrix's Presentation Server 4 product.

The cost is pretty good: the box is $2500 and licenses retail for around $100/concurrent user. If you have 100 users and your highest expected concurrent remote access count is 25, your cost would be $2500 + 25 x 100 = $5,000. If you buy 2 boxes (they have a built-in failover mechanism for redundancy), the cost would be $7500.

I work for a major healthcare provider and we're replacing Cisco VPN concentrators with the CAG. We bought 4 CAGs and are using Citrix's Advanced Access Control (AAC) product to integrate the CAGs with our internal portals (AAC makes the cost go up pretty high, though). We have around 40,000 users and our max concurrent remote users is currently around 4,000.

Check it out: http://www.citrix.com/English/ps2/products/product .asp?contentID=15005 [citrix.com]

And no, I'm not the CEO of Citrix in disguise. I just believe in their products; we've saved a ton of $$$ using them!

VPN

any one can teach me how to build VPN from the bigining .. please :(( Thx