VPN Through Router

Well, it's a little more complicated than the above description.

I have a hotel that wants broadband access to all their rooms for guests.  Unfortunately, most business guests connect to their office using VPN.  Well, SOHO equipment isn't going to cut it because each one of these "guests" uses something different (checkpoint, mschap, pptp, blah, blah, blah).  It would also be impossible for me to get a hotel guest to give me the number to their company's IT department so I could try and convince them to let me know what ports their VPN operates over so that I could open a port tunnel for them.  Sheeesh...

Past my small office networking experience, I'm fairly clueless.  What equipment, if any, would allow me to circumvent manual port tunneling and let these people use their VPN across broadband behind a router issuing DHCP addresses? layer 2, layer 3, VLAN (what is all this stuff?)

If someone could point me in the right direction then I can "bone up" on the self education.
Who is Participating?
Actually, it is probably not as complicated as you think.

Although not all companies implement the same VPN schemes or use different software to handle this, it is actually pretty common practices that they use the same protocols and/or ports to do this.

If the companies really want their clients to access their internal resources through VPN, they'd get a clue by now that it is best that you stick by the rules.  So here's the low-down:

1.  Do not settle with a cheap router/firewall.  Most firewall only allows for 1 to 5 simultaneous VPN connection.  This means that, depending on the limitation of the router, you might actually "rob peter to pay paul", which disconnects someone's VPN to allow it for others.

2.  Get a router that allows "VPN passthrough", which allows your computer to be able to establish outbound VPN connection.  If you ask your vendor, they'd be able to provide you with lots of different models.

3.  Just bear in mind that if after performing the above steps, they still have a proprietary setup on their network that requires special configuration, just politely ask them to ask their IT department to change their settings.  It is not your fault that they are making it difficult for everybody else.  Let's say if they have 100 traveling users, each users stays at 10 hotels per year, then that means 10000 hotels would have to modify their settings.... Why can't they just perform the change on their end ONCE, and get it over with?

4.  Most likely, if you are having problems with one particular site/office/client, but have no problem with others, then it is not your network setting but the user/clients' computer setting.  They need to take it up with their IT support people, not you.

5.  If you ABSOLUTLEY need to make one particular client happy, you can put a switch in FRONT of your router, and allow them to connect to the switch and use a public IP address.  That would at least prove that the problem isn't with your firewall but their computer setting.

- Info

Most new vpn clients are capable of NAT Transveral...this should eliminate your need to micromanage port tunneling.  You will just need to choose a router based on the number of client that are likely to be using the connection at any particular time.  Netopia R910 is a good SOHO router with NAT that will serve a good number of clients.  I have used this device with up to 75 simultaneous VPN connections (Cisco and Nortel Clients).

If the users VPN is not capable of NAT transversal...it will have to be done with port forwarding.  However...this is unlikey as most companies that have traveling users will have already switched to the newer VPN.

If this is a large or high traffic hotel...you should look into some type of AAA (Authentication,Authorization,and Accounting) server to keep your system from being abused.
Most of the users will have a client, so you don't have to worry about doing any kind of vpn device to vpn device connection.  

On your firewall, make sure you have protocol 17 UDP port 500 source and destination open for ISAKMP IPSec Key Mangement.  Make sure protocol 50 (ESP) and 51 (AH) for IPSec Tunnel Encapsulation is open.

If they're doing PPTP then you'd need Protocol 8 (TCP) Source >1023 Destination 1723 for PPTP Control Connection
Protocol 47 (GRE) Source and Destination n/a for PPTP Tunnel Encapsulation.

If they're doing L2TP (they need to upgrade) but that would be Protocol 17 (UDP) Source >1023 and Destination 1701.

Reservation Control - Protocol 46 (RSVP) source and destination n/a.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.