Solved

VPN Through Router

Posted on 2004-03-29
3
1,628 Views
Last Modified: 2013-11-29
Well, it's a little more complicated than the above description.

I have a hotel that wants broadband access to all their rooms for guests.  Unfortunately, most business guests connect to their office using VPN.  Well, SOHO equipment isn't going to cut it because each one of these "guests" uses something different (checkpoint, mschap, pptp, blah, blah, blah).  It would also be impossible for me to get a hotel guest to give me the number to their company's IT department so I could try and convince them to let me know what ports their VPN operates over so that I could open a port tunnel for them.  Sheeesh...

Past my small office networking experience, I'm fairly clueless.  What equipment, if any, would allow me to circumvent manual port tunneling and let these people use their VPN across broadband behind a router issuing DHCP addresses? layer 2, layer 3, VLAN (what is all this stuff?)

If someone could point me in the right direction then I can "bone up" on the self education.
0
Comment
Question by:carlajasminelewis
3 Comments
 
LVL 11

Accepted Solution

by:
infotrader earned 500 total points
ID: 10707363
Actually, it is probably not as complicated as you think.

Although not all companies implement the same VPN schemes or use different software to handle this, it is actually pretty common practices that they use the same protocols and/or ports to do this.

If the companies really want their clients to access their internal resources through VPN, they'd get a clue by now that it is best that you stick by the rules.  So here's the low-down:

1.  Do not settle with a cheap router/firewall.  Most firewall only allows for 1 to 5 simultaneous VPN connection.  This means that, depending on the limitation of the router, you might actually "rob peter to pay paul", which disconnects someone's VPN to allow it for others.

2.  Get a router that allows "VPN passthrough", which allows your computer to be able to establish outbound VPN connection.  If you ask your vendor, they'd be able to provide you with lots of different models.

3.  Just bear in mind that if after performing the above steps, they still have a proprietary setup on their network that requires special configuration, just politely ask them to ask their IT department to change their settings.  It is not your fault that they are making it difficult for everybody else.  Let's say if they have 100 traveling users, each users stays at 10 hotels per year, then that means 10000 hotels would have to modify their settings.... Why can't they just perform the change on their end ONCE, and get it over with?

4.  Most likely, if you are having problems with one particular site/office/client, but have no problem with others, then it is not your network setting but the user/clients' computer setting.  They need to take it up with their IT support people, not you.

5.  If you ABSOLUTLEY need to make one particular client happy, you can put a switch in FRONT of your router, and allow them to connect to the switch and use a public IP address.  That would at least prove that the problem isn't with your firewall but their computer setting.

- Info
0
 
LVL 6

Expert Comment

by:Technicon-SG
ID: 10707507
Carla,

Most new vpn clients are capable of NAT Transveral...this should eliminate your need to micromanage port tunneling.  You will just need to choose a router based on the number of client that are likely to be using the connection at any particular time.  Netopia R910 is a good SOHO router with NAT that will serve a good number of clients.  I have used this device with up to 75 simultaneous VPN connections (Cisco and Nortel Clients).

If the users VPN is not capable of NAT transversal...it will have to be done with port forwarding.  However...this is unlikey as most companies that have traveling users will have already switched to the newer VPN.

If this is a large or high traffic hotel...you should look into some type of AAA (Authentication,Authorization,and Accounting) server to keep your system from being abused.
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 10707623
Most of the users will have a client, so you don't have to worry about doing any kind of vpn device to vpn device connection.  

On your firewall, make sure you have protocol 17 UDP port 500 source and destination open for ISAKMP IPSec Key Mangement.  Make sure protocol 50 (ESP) and 51 (AH) for IPSec Tunnel Encapsulation is open.

If they're doing PPTP then you'd need Protocol 8 (TCP) Source >1023 Destination 1723 for PPTP Control Connection
Protocol 47 (GRE) Source and Destination n/a for PPTP Tunnel Encapsulation.

If they're doing L2TP (they need to upgrade) but that would be Protocol 17 (UDP) Source >1023 and Destination 1701.

Reservation Control - Protocol 46 (RSVP) source and destination n/a.

HTH
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
nmap scanner? 7 80
Simple Guest VLAN Help 17 36
how to access my server 9 28
Connecting LAN to a new leased line 2 22
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now