VPN over ADSL?

Okay this is the scenerio......

Getting ADSL installed at home while i'm back from uni over xmas. Dad needs it for work and i'm assuming to get into his servers at work he'll need some sort of VPN software.

Dad has a laptop from work
Mum has a laptop from the school she works at.
Mum wants to buy another PC for home.
My Brother has a PC at uni.
I've good a PC at uni with a wireless card which i use to access our home network here.

If the ADSL line has to be configured for the VPN will all the other PC's be able to access the net? or is just the laptop that is configured? (Thinking about it i'm sure it is - doh)

What i'm planning to do is buy a Wireless Router.
The two PC's upstairs will have wireless cards (Mine and my brothers)
The two laptops will have PCMIA cards.
The new PC will use the ethernet port and just be cabled with CAT5 cable as it will next to the router.

Also would supplier would you use? At uni I use NTL which i'm quite happy with but my Dads not so keen.
I want to use a supplier that offers a modem with a ethernet port as it is easier to connect upto the wireless router

Cheers,

Phill

Edited cos i'm a muppet sometimes


>>> Edited by pmanson on Thursday 11th December 16:10

Works fine.

Just ensure the internet connection is working on whatever PC you want to use.

Then, on Win2k/WinXP just use the internet connection wizard and choose the option to connect to a private network over the internet. Use the IP address of the VPN server in the office instead of a phone number.

Obviously the network at the office needs to be set up to allow you dial-in access.

If you're using a firewall (which I hope you are) you'll probably need to set it up to trust traffic coming from the office network. (In ZoneAlarm, this means add your office VPN server's IP address and internal network addresses to the trusted zone).

That's debatable - they could limit its use by filtering the traffic (its been known) to disallow IKE/IPSEC etc.

The end that's being connected to would need a static IP address too.

agent006 said:

The end that's being connected to would need a static IP address too.

By the sound of it, it's a corporate VPN thing - so it will be.

If the client at the ADSL/CM end is NAT'd then, yes, there may be problems. Depends how well the thing doing the NATing handles IPSEC/IKE.

Linux with the IPSEC masquerading doesn't break IPSEC/IKE VPNs *if* the remote peer's ID is something other than its IP address. I believe some of the broadband router products on the market can do this sort of IPSEC masquerading.

Other VPN products (i.e. Firewalls and their respective client VPN software) do NAT traversal by futher encapsulating the IPSEC/IKE traffic in UDP.

>> Edited by Marshy on Friday 12th December 01:00

I have a netgear DG824M (ADSL Modem/Router/Switch/Firewall/Wireless Access Point) it has four ethernet ports and can handle upto 253 users (32 wireless connections).

I have one PC connected via ethernet and two laptops and a PDA connected wirelessly. The DG824M also supports VPN pass through, which I use to connect to the office network from home.

Seems to fit nicely with what you need in a one box solution. The only drawback is 11mbps.

If you want 56bmps, netgear also do a DG834G which has the same features as the DG824M, but with 56mbps.


http://uk.insight.com/apps/productpresentation/index.php?alert=categoryresults&product_id=NGEDG834G

£136.29 inc VAT........


DG834G





Combines modem, router, switch, 802.11g access point, and SPI true firewall

Up to 5 times faster than 802.11b

True Firewall with Stateful Packet Inspection (SPI) & Intrusion Control, Denial of Service (DoS), Virtual Private Network (VPN) pass-through

Smart Wizard detects/connects to your ISP

Works with both 802.11g & 802.11b




Wireless or Wired Instant Broadband Access with Internet Sharing
This 802.11g wireless router adds considerable power and flexibility to your network. Five products in one, it combines an ADSL modem, router, 10/100 LAN switch, 802.11g access point, and SPI True Firewall. It gives you untethered continuous connectivity to your network resources and the Internet, and allows you to share your broadband access with all of your networked computers wireless or with wires using Ethernet cables. Featuring high-speed 802.11g wireless capability – up to five times faster than 802.11b – it allows you to download large files, videoconference, and distribute and play high-quality digital movies, photos, and MP3s in the blink of an eye. Simple to use, it plugs directly into your ADSL line. An integrated switch lets you directly connect four computers or any combination of four computers, access points or printers. Setup couldn’t be easier – NETGEAR’s Smart Wizard install assistant and on-screen help guide you through each step. The Smart Wizard automatically detects and makes the best connection to your ISP. True Firewall protects your network with business-class security against intruders, including logs and alerts of break-in attempts, while VPN pass-through makes it safe to connect to your business network from home or office. The contemporary, sleek design of this unit suits your home or office. Future upgrades to firmware can be obtained via the Internet.

Faster Than Ever
The DG834G gives you instant connectivity with or without wires, and works with your existing 802.11b devices as well as your new 54 Mbps 802.11g devices. A built-in ADSL modem furnishes direct, always-on Internet connectivity and multi-user access sharing at speeds up to 140 times faster than dial-up. This powerful router distributes MP3s, digital movies and photos with ultra-fast 10/100 switched LAN ports capable of speeds of 200 Mbps, and shares a single IP address with up to 253 users. And, it boasts double the memory and a 50% faster CPU than many popular routers.

Hassle Free
No need for a separate modem – this connects directly into your ADSL line. Built-in Port Forwarding settings, Universal Plug and Play (UPnP™) and Virtual Private Network (VPN) pass-through make it simple to play Internet games, send instant messages, and host Internet services. User interface matches your local language (English, French, German or Italian). It supports PCs, Macintosh®, and virtually all Ethernet devices, and comes with a free Ethernet cable for connecting your first computer.

Secure
True Firewall using Stateful Packet Inspection (SPI) and Intrusion Control features Denial of Service protection from hacker attacks, while VPN (Virtual Private Network) pass-through permits secure access to your office or corporate network and enables you to host VPN services. Content filtering lets you control access to inappropriate web sites and limit usage by time of day. Logs browsing activities and provides optional e-mail alerts so you can monitor access. DMZ support allows unrestricted access from the Internet to one computer (for hosting web services).







Specifications



Routing Protocols:
Static and Dynamic Routing with TCP/IP, VPN passthrough (IPSec, L2TP, PPTP), NAT, UDP, RIP, PPPoE, PPPoA, Classic IP, DNS, DHCP (client & server)

Application Support:
Works with most Internet applications including: Quake®, Half-Life®, StarCraft, Unreal Tournament®, ICQ®, AOL® Instant Messenger™, Microsoft Messenger®, NetMeeting®, RealPlayer®, Windows Media Player™, Net2Phone®, Dialpad®




Physical Interfaces:
LAN: Four (4) 10/100 Mbps auto-sensing, Auto Uplink™ RJ-45 ports (one Cat 5 UTP cable included), 802.11g access point
WAN: ADSL RJ-11, T1.413, G.DMT, G.Lite, ITU Annex A; Annex B version is DG834GB
Wireless speeds:
1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54 Mbps (auto-rate capable)
Modulation Type:
OFDM with BPSK, QPSK, 16QAM, 64QAM, DBPSK, DQPSK, CCK
Frequency:
2.412 ~ 2.462 GHz (US)
2.412 ~ 2.484 GHz (Japan)
2.412 ~ 2.472 GHz (Europe ETSI)
2.457 ~ 2.462 GHz (Spain)
2.457 ~ 2.472 GHz (France)

Security Features:
Firewall: Stateful Packet Inspection, Intrusion logging and Reporting, Denial of Service protection
VPN Functionality: NAT traversal (VPN pass-through) for IPSec, PPTP and L2TP VPNs
Mode of Operation: Network Address Translation (NAT), static routing IP Address Assignment: Static IP address assignment, internal DHCP server on LAN, DHCP client on WAN

Management Features:
Administration Interface: Web graphic user interface with protected user name and password, remotely accessible from designated IP addresses

User Support:
Up to 253 LAN users

RFC Support:
IPSec tunnel mode:
(RFC 2401) (pass through mode), IP v.4
DHCP server:
(RFC 2131)
DHCP client:
(RFC 2131)
NAT (many-to-one):
(RFC 1631)
IP Control Protocol:
(RFC 1332)
Bridged Ethernet Encapsulation:
(RFC 1483, 2684)
PPP over Ethernet (PPPoE):
(RFC 2516)
PPP over ATM (PPPoA):
(RFC 2364)
Classical IP over ATM:
(RFC 1577)

ADSL Specifications:
ADSL, Dual RJ-11, pins 2 and 3, ANSI T1.413, G.DMT, G.Lite (ITU Annex A; Annex B is DG834GB)

Antenna:
2 dBi

Standards Capability:
802.11g

Functions:
Remote Management, Port Range Forwarding, Exposed Host (DMZ), DNS Proxy, URL Content Filtering, E-mail Alerts

Maintenance:
Save/Restore Configuration, Diagnostics, Upgrades via Web Browser, Logging

Power Adapter:
15VAC 1.0A Plug is localized to country of sale for North America, Japan, UK, Europe, Australia

Physical Specifications:
Dimensions: 255 x 169 x 34 mm (10 x 6.7 x 1.3 in.)
Weight: 0.6 kg (1.3 lb)

Environmental Specifications:
Operating temperature: 0° to 40° C (32° to 104° F)
Operating humidity: 90% maximum relative humidity, noncondensing




Warranty:
NETGEAR 2-year warranty

SYSTEM REQUIREMENTS:
• ADSL Internet service
• Ethernet connection (adapter and cable) for each PC
• 2.4 GHz wireless adapter or Ethernet adapter and cable for each computer
• TCP/IP Networking software (Windows® 98,
Me, NT, 2000, XP, NetWare®, UNIX®, Linux® )
• Windows® 98, Me, NT, 2000, XP, Mac® OS,
NetWare, UNIX, or Linux
• Internet Explorer 5.0 or Netscape 4.7 or higher

PACKAGE CONTENTS:
• Wireless ADSL Firewall Router DG834G
• Power adapter
• Ethernet cable
• Phone cable
• ADSL phone line filter (most countries)
• Resource CD
• Installation guide
• Warranty/Support information card

NETGEAR RELATED PRODUCTS:
• FA120 USB 2.0 Adapter
• FA311 PCI Adapter
• FA511 Ethernet CardBus
• MA111 802.11b USB Adapter
• MA311 802.11b PCI Adapter
• MA521 802.11b PC Card
• MA701 802.11b Compact Flash Card
• ME101 802.11b Wireless Ethernet Bridge
• PS101 Mini Print Server
• WG311 54 Mbps Wireless PCI Adapter
• WG511 54 Mbps Wireless PC Card
• WGE101 54 Mbps Wireless Ethernet Bridge
• XE102 Powerline Bridge (U.S. only)





>> Edited by sybaseian on Friday 12th December 12:01

Draytek routers are the business, we are rolling them out to all of our laptop users (circa 600). The model we are using 2600g (officially out on monday) supports vpn passthrough as well as being able to terminate 16 vpns, it also has a print server in it and content filtering firewall.

Won't bother posting the full specs or this thread will be the longest ever see www.draytek.co.uk

NATing the IPSEC packets doesn't render them invalid at all, but may lead to them getting lost when they come back to you from the VPN gateway at the office.

It can be done without having to encapsulate, in a couple of ways:-

Either: Case 1

There's only one VPN client on the privately numbered (RFC1918) network *and* the thing doing the NATing knows where to forward return IPSEC traffic to

Or: Case 2

Some form of smart IPSEC masquerading takes place. The Linix IPSEC masquerading code is smart enough to mangle IPSEC packets to preserve uniqueness and allow more than one VPN client on a privately numbered network, dishing out return IPSEC traffic to the right client. Been there, done that. In this case, though, the IKE Phase 1 ID needs to be something other than the IP address of the machine (can be an arbitrary string, works fine as long as the VPN gateway back at the office allows Phase 1 IDs to be other things).

Been there, done both with my own Linux gateway here. Linksys' IPSEC passthrough is the case 2 type as well.