"Split Tunneling" w/Hardware VPN Appliance? in Virtual Private Networking http://www.dslreports.com/forum/r21090389 en Wed, 11 Nov 2009 08:47:05 EDT Wed, 11 Nov 2009 08:47:05 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21103613 Anav : Although the zyxel zywall 2plus is an excellent choice for small satellite office to a large office or home to both, it is not capable of SSL VPN (IPSEC only). The USG series (100/200/300/1000) does both SSL and IPSEC, but the cost is significantly higher.]]> http://www.dslreports.com/forum/remark,21103613 Sat, 13 Sep 2008 11:21:28 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21100024 bbarrera :
said by dsaunder See Profile :

My understanding is that my company presently connects road warriors via SSL and offices via IPSec -- all using SonicWall. Clearly, if I'm to petition for a hardware connection (to hopefully provide better throughput than my current SSL client software), I'll need to ask my IT department to specify the equipment and perform the configuration.
My guess is that if they are open to a VPN router, you'll be getting a low-end Sonicwall with a dedicated 'work port' for connecting to the office and that will likely put you back to where you started, without split tunnel operation (unless they are willing to lower security policy and allow split-tunnel operation). The work port will put your laptop on a separate network from the rest of your LAN.

There are some security advantages to preventing split-tunnel, so it will be interesting to see if they allow it. In the past I've resorted to using two computers, one for web surfing and downloads and the other with Cisco VPN client (and all traffic routed to work). Then all you need is a USB thumb drive to transfer files.]]> http://www.dslreports.com/forum/remark,21100024 Fri, 12 Sep 2008 14:53:34 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21099879 dsaunder : Many thanks, Tubbynet, Bbarrera and Lasko for your informative replies!

My understanding is that my company presently connects road warriors via SSL and offices via IPSec -- all using SonicWall. Clearly, if I'm to petition for a hardware connection (to hopefully provide better throughput than my current SSL client software), I'll need to ask my IT department to specify the equipment and perform the configuration.

You've made it clear that there's no opportunity for "self help," here.
--
-David-]]> http://www.dslreports.com/forum/remark,21099879 Fri, 12 Sep 2008 14:28:37 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21099750 anon :
quote:
The real issue is your IT department's remote access policy and their willingness to support you.
This is key. Ask your IT department which HW devices they will be willing to work with. You will need their help with the necessary parameters to configure your device (IPsec has many options and the options need to match at both ends).
quote:
Split-tunnel operation opens another threat vector to the corporate LAN, so they may only allow software VPN clients to enforce their 'no split-tunnel' policy
While the first part is true the second part (require a SW client) is in no way related to the first. Any HW device capable of doing split-tunneling should also be capable of being configured to not allow split-tunneling. If the HW device cannot be configured to allow or dis-allow split-tunneling as desired by the user then it is not worth considering except for its potential scrap value.]]> http://www.dslreports.com/forum/remark,21099750 Fri, 12 Sep 2008 14:06:03 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21099118 bbarrera :
said by dsaunder See Profile :

Can anyone offer specific VPN router models that they know have this capability?
By default every VPN router I've worked with will route traffic to Internet unless it is destined for VPN.

The real issue is your IT department's remote access policy and their willingness to support you. Split-tunnel operation opens another threat vector to the corporate LAN, so they may only allow software VPN clients to enforce their 'no split-tunnel' policy and you can buy hardware and find it won't connect because they won't configure the Sonicwall to support it.]]> http://www.dslreports.com/forum/remark,21099118 Fri, 12 Sep 2008 12:26:37 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21099058 tubbynet : any vpn device which advertises a "site-to-site" or "gateway-to-gateway" mode should be able to handle it. however, there are several different types of vpns, ssl and ipsec. the two are not interoperable with each other. in the past, ipsec was the only option, but ssl vpns have become very popular (especially due to their ability to be deployed over a web-type interface and require no end-user client). you will need to ensure that your company is using an ipsec vpn, as site-to-site with ssl isn't possible (as far as i know).

since ipsec is a standard, every router that supports ipsec site-to-site tunnels, should work in your situation. however, the caveat here is that you get what you pay for. also, there is the consideration of support from your it staff. depending on how comfortable you feel setting the vpn up, you may want to try and relinquish the setup to someone more technically astute with vpn configuration. in this setup, i would make sure that i am running the same manufacturer of hardware to make it easier on whoever is installing the vpn. plus, you could always pick their brains for free support (if they have the time).

as always, ymmv.

q.]]> http://www.dslreports.com/forum/remark,21099058 Fri, 12 Sep 2008 12:16:10 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21098965 dsaunder : Thanks for the replys!
Given, then, that my company's IT department would need to enable me to link to their VPN via a hardware VPN device, what capabilities/feature names would I look for in said device to ensure that I could configure:
- Any packet bound for an internal company LAN address traverses VPN tunnel
- Any other packet goes to public Internet
?

Can anyone offer specific VPN router models that they know have this capability?

Many thanks!
--
-David-]]> http://www.dslreports.com/forum/remark,21098965 Fri, 12 Sep 2008 12:01:24 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21096356 tubbynet : there is a difference (configuration-wise) between using a software "remote access" client and a hardware "site-to-site" solution.

the software solution is meant to be a remote access connection for most road warriors and teleworkers. it assigns specific parameters for the "tunnel-group" but it essentially allows a connection from any ip address.

a site-to-site tunnel requires a "peering" between the two end points. these endpoints will use similar credentials (usually a preshared key or a ca) to ensure that the endpoints are who they say. from there, the two will pass encrypted packets.
however, you can't set one side up for a "site-to-site" vpn (like at your house) and point it to a "remote access" vpn (though i suspect it *could* be done with proper programming of the router ui and connection triggering). you will need to ensure that you are able to set up the site-to-site at your central office, as that can lead to a huge security risk to have a permanent tunnel to a network outside of the control of the company it.

q.]]> http://www.dslreports.com/forum/remark,21096356 Thu, 11 Sep 2008 20:59:07 EDT Re: "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21095241 anon :
quote:
Is this common with hardware VPN devices? Can it be done with most?
Yes and Yes. I do not know anything about the device you mention though. It may or may not support this.]]> http://www.dslreports.com/forum/remark,21095241 Thu, 11 Sep 2008 17:10:37 EDT "Split Tunneling" w/Hardware VPN Appliance? http://www.dslreports.com/forum/remark,21090389 dsaunder : I'm considering purchasing an IPSec VPN appliance, such as ZyWALL 2 Plus to access my company's SonicWall VPN over my home DSL connection. I'm wondering if the VPN appliance can be configured such that only packets destined for company LAN devices transit the VPN, whereas requests for all non-company resources (e.g.: Internet browsing) transit the regular Internet?
I've read that when accessing SSL VPN's via software clients, this requires "split tunneling." I guess, therefore, I'm looking to accomplish something identical to "split tunneling" but with a hardware device.
Is this common with hardware VPN devices? Can it be done with most?

Thanks
--
-David-]]> http://www.dslreports.com/forum/remark,21090389 Wed, 10 Sep 2008 19:50:29 EDT