dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2529
gilbert_osm
join:2013-02-01

gilbert_osm

Member

VPN device recommendation for an IT consultant.

I'm an IT consultant, Mac-focused. I want to set up reliable, secure, full-network access to my customers' small-office networks, ideally by sending them a pre-configured hardware device that they plug in to the LAN side of their network.

On my side, I want to use the excellent Mac software VPN client "VPNTracker 6".

Based on the list of devices compatible with VPNTracker 6 (see here: ( »www.vpntracker.com/us/ad ··· ity.html ) ) can someone point me in the right direction?

I need full, transparent access to the customer's entire class C network, i.e. 192.168.1.x, with the ability to do ICMP pings & pass through all other protocols "as if" I am on their physical network.

Thank you for your suggestions.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Why would you want to use a client at your end. More than likely its the customer that should use a client or a predefined SSLVPN download that many business class routers provide. You on the other hand should get a decent VPN hardware device. IMHO
gilbert_osm
join:2013-02-01

1 edit

gilbert_osm

Member

Replies that question my basic assumptions are not useful. Please stick to what I asked.

- I need a software-based solution so that I can be fully mobile on my end. That is non-negotiable.
- The device needs to be cheap enough that I can buy & deploy it affordably, i.e. low capital investment cost on my part.

I'm sure there are plenty of suitable devices out there, I just need some specific recommendations as a place to begin my research. Thanks.
Expand your moderator at work
HarryH3
Premium Member
join:2005-02-21

HarryH3 to gilbert_osm

Premium Member

to gilbert_osm

Re: VPN device recommendation for an IT consultant.

A few of my customers have WatchGuard firewall devices with VPN capabilities. I use the WatchGuard VPN client to connect to their network and then I can use Remote Desktop, VNC, web access (great for network printers, scanners and cameras with built-in web servers), netscan, ping, etc. just as if I were sitting in their office, plugged into their data switch. I also keep a copy of the VPN client on my laptop so if I'm onsite at a different customer site when I get a call, I can use the laptop to connect from wherever I am at the time.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to gilbert_osm

MVM

to gilbert_osm
Out of the listed devices on the page -- Sonicwall, Cisco, Watchguard, Netgear, Juniper, Checkpoint
-- do you have ANY direct experience with devices from those mfrs?

Secondly : what's the dollar figure of your budget? Off the top of my head, the low end for the above
vendors is going to be anywhere from several hundred to around $1000USD a pop. That does NOT
include for maintenence contract(s), spares, applicable client licence(s), etc.

Thirdly : any other requirements of the device? GigE interfaces? Throughput requirements? Needed
interfaces? Requirements for HA / backup connectivity?

Just my 00000010bits :

Sonicwall -- look into the TZ series, fairly affordable, GigE interfaces, can handle what speeds most
ISPs can handle, includes content filtering / AV / anti-X (added cost / subscription) and wireless.

Cisco -- look into an ASA 5505 or 5512X device, 5505 is somewhat dated while 5512X I haven't
seen pricing for yet. Definately "big iron" but NOT for the faint of heart / non-Cisco types. Also
in my experience is the most restrictive from a features perspective.

Watchguard -- XTM 2 / 3 is the series to look at, fairly full featured but I don't have any direct
experience.

Netgear -- read the datasheets, I do not have any direct experience.

Juniper -- SSG / SRX series is on par, and oftentimes exceeds Cisco. Fairly intutive GUI interface
for the basics, but the advanced stuff and remote management can be daunting. Again, not for the
faint of heart. If you could, get a bunch of SSG-5s and rig em up, and you'd be laughing (almost).

Checkpoint -- read the datasheets, I do not have any direct experience.

..and as I have an open mind, Zyxel USG series would be under the "affordable" and "GUI for ease of use" category.
Recommended you read this thread for the paper specifications and pricing of the device.

From reading over the specs sheet, VPNTracker's just an IPSec-compatible VPN client for MacOS. All you need
is a device you're comfortable with, get a bunch of them, configure as needed, and ship out -- there's
no rocket science really. I'd just lab up one device and make sure it works before signing the big Purchase
Order.

Once you have the devices, shouldn't be that hard to set up a site-to-site VPN between the sites.
One gotcha about this -- are the sites on static IPs or dynamic? If they're dynamic, DDNS functionality
MAY be needed -- this is what I've heard, but I can't comment further as I don't have much direct experience
with site to site with a dynamic IP address.
said by gilbert_osm:

- I need a software-based solution so that I can be fully mobile on my end. That is non-negotiable.

Have you ever heard of / tried Hamachi?

Regards
gilbert_osm
join:2013-02-01

gilbert_osm

Member

said by HELLFIRE:

Out of the listed devices on the page -- Sonicwall, Cisco, Watchguard, Netgear, Juniper, Checkpoint
-- do you have ANY direct experience with devices from those mfrs?

Secondly : what's the dollar figure of your budget? Off the top of my head, the low end for the above
vendors is going to be anywhere from several hundred to around $1000USD a pop. That does NOT
include for maintenence contract(s), spares, applicable client licence(s), etc.

Thirdly : any other requirements of the device? GigE interfaces? Throughput requirements? Needed
interfaces? Requirements for HA / backup connectivity?

Thanks for your suggestions.

Yeah, in the past I used Netgear FVS318s and and FVS328 for a total hardware-based solution end-to-end. For that setup, all the routers were performing as WAN-to-LAN / Firewall also, so there was no issue with VPN pass through & NAT. ( I was a Mac consultant for 15 years, then quit for 5 years, now returning to the field.)

But it was a pain, in the past, to convince clients to replace their WAN head-end equipment just for compatibility with my hardware VPN solution. This time around I want a drop-in unit that can sit quietly on their LAN, and that I can easily take with me if/when they no longer need my services (or I no longer want their business.)

I don't want to spend more than $250 per customer / per site. Doesn't have to be GigE-capable, just needs to do a respectable 15-25 Mbit (bit, not byte) throughput for occasional larger file transfers.

When I find something workable I will post the details of my solution here for future readers & searchers.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to gilbert_osm

Premium Member

to gilbert_osm
Switchman posted this interesting device in another thread, its the closest Ive seen to something your describing....

»dl.ubnt.com/datasheets/e ··· e_DS.pdf
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to gilbert_osm

MVM

to gilbert_osm
said by gilbert_osm:

to convince clients to replace their WAN head-end equipment just for compatibility with my hardware VPN solution.

My personal experience? BAAAAAD idea when you suggest dismantling a customer's network to get YOUR
solution in to make it work.

Otherwise, as I said, VPNTracker sounds like a standard IPSec-compatible VPN client, and IPSec's a standard,
so as long as "site to site VPN" and "remote access VPN" is in whatever gear you decide on's spec sheet, you
should off to the races.

I'd also check smallnetbuilder for some of the SMB gear for other options.

Regards