We help IT Professionals succeed at work.

Cisco VPN alternatives

thetraveler359
on
Hi experts,
I found some previous questions that are informative, but want to ask mine individually.  I have a small company of about 50 folks, about half of which either work from home or travel a lot.  For the home users, I have Cisco boxes setup with always on VPN connections terminating to my ASA5510.  For everyone else, they use the Cisco client, or sometimes Anyconnect when Cisco has issues.  The bossman has asked that I look into alternatives because he tends to have connectivity issues with his VPN when he travels/works remotely.  The only thing that might make sense to me is to go to SSL VPN, but I don't know how to set that up.  I have been working on setting up DirectAccess as he was ok with as an option, but I'm having a LOT of difficulty getting that job done.  I'm ready to give up on trying to setup DirectAccess and look at other options (NOBODY out there seems to know anything about setting up DirectAccess, so finding assistance there is impossible).  So a few questions....

Beyond SSL VPN, what other reasonable easy to setup options are there for VPN connections (I could use my DirectAccess server for other uses if needed) that might be more stable?  

And secondly, if it's SSL VPN, anyone know of a good guide for setup?  

Would SSL VPN be any more stable?  It seems to me that connectivity issues are predominately based on bandwidth and other factors out of my control, but though he understands that, he still wants to see if we can improve it any.  

What do big companies use?  I've always worked for small shops, so I don't know what the big boys use to securely connect remote employees.  Probably something not feasible for me, but curious nonetheless.


THANK YOU!
Comment
Watch Question

John MeggersNetwork Architect
Commented:
How are you currently using AnyConnect?  If you don't need the premium features, AnyConnect Essentials is basically an SSL replacement for the IPSec client.  It's full-tunnel, draws a client address from a pool, it just used SSL for the encryption rather than IPSec.  It's not completely free (as IPSec is) but the cost is very low, like a couple hundred dollars.  We use it at my current company, and I was on the alpha test team at Cisco, and I found it to be MUCH more forgiving to network fluctuations than the IPSec client is.  I've been very happy with it.  The big problem is if there's a reason you need Premium SSL licenses, such as for web-portal VPNs from a home computer, then you won't be able to do both (SSL Premium and AnyConnect Essentials) on the same ASA.  Once you enable Essentials, you don't use premium licenses any more, so you don't get the benefit of those features, such as connecting to a web portal, endpoint assessment, etc.  You just get the full-tunnel VPN.
CERTIFIED EXPERT

Commented:
I work for a larger organisation, with approx 1500 users.

Currently we are using the Cisco VPN Client. The only time we have had problems is due to issues with the local connection or issues on the internet. We have seen some hardware issues cause problems, but usually it is to do with the users connection and available bandwidth. I have seen it where some local connections have IPSec traffic throttled.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Usually the issues are that the Local IP and the Office LAN IPs are overlaping.
i.e. the person at a conference with Wifi and their IPs are 172.16.16.0/23
while your office LAN is 172.16.17.0/24 or vice versa.

The 172.16.17.0/24 segment will not see traffic going to the remote side since it is seens as local on the local system.

Not sure whether using any VPN will resolve the IP overlap.

I'd start by enabling logging on the individuals system to collect information on their connection when they are having issues.
IP/netmask, etc.
John MeggersNetwork Architect

Commented:
Agreed, if there are IP overlap issues, changing to a different VPN mechanism isn't going to solve that problem.

Author

Commented:
Thanks for the comments all!

jmeggers - I will look into AnyConnect Essentials, thank you.  That should work fine as all I need is file/intranet app/email access and we are fine using a client.  

InteraX - Agreed, I figure this is mostly on their end, but the main "complainer" is two of the owners, thus time to act! :)  Though if IPSec gets throttled in cases, then a move to SSL could help.

arnold - pretty sure we're fine there.  VPN is getting 10.0.3.0 and internal is 10.0.1.0 and I think most times, you don't see 10.0. addresses in public locations, or am I thinking about this wrong?  

Thanks all!
CERTIFIED EXPERT

Commented:
I'm not sure a move to SSL will help a great deal. I think it's mostly due to certain authorities not liking encrypted traffic that they can't read. Any SSL session that lasts for more than 30 seconds would not be normal for standard web browsing and could be throtled. Basically, it's the encryption they don't like.

I have seen plenty of places where 10.0.x.y are used locally, but this shouldn't affect the VPN client. I have this type of setup in use without a problem. The only issue you may find is that any local IP ranges used on the VPN may not be accessible by host applications whilst the VPN is up.

I am assuming you have split tunnelling setup.

Author

Commented:
Yes, I have split tunneling setup.  

Should I be able to run both my current VPN and AnyConnect Essentials at the same time to my ASA5510?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
what is the netmask of the VPN IP you are assigning 10.0.3.0 versus the LAN IP range 10.0.1.0?

Some locations use 10. It all depends on the scope of the enterprise.
I.e. many would often mean they use a 10.x.x.x large scope network.
Often VPN IP should use a segment different from the one used on the LAN
i.e. if you have 10.0.0.0 one would use an uncommon 192.168. network (not 0,1,2 as those are common in the retail routers)
At this point we are guessing at the cause.  Identifying the issue/cause would clear things up and possibly provide a solution.
i.e. using 192.168.151.x for the VPN connection pool might be what could solve this issue. etc.

Author

Commented:
I'm somewhat avoiding the notion that it's an issue with the VPN pool or anything else because most users see very little or no issues with connectivity.  Or could the issue still only manifest with the one user (who as mentioned is the CEO, so thus why I'm trying to appease with a new VPN type)?  

Netmask is 255.255.255.0
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The other users may only use remote access from their residences where the Local LAN IP is in the 192.168.x.0/24 range while the CEO that travels uses the system where the Local LAN ips overlap with the office IPs.
If enabling logging on the VPN client is not an option, create a batch file that the person can run when they have an issue.

@echo off

echo %date% %time% >> c:\somedirectory\datacollectionfile.txt
ipconfig /all  >> c:\somedirectory\datacollectionfile.txt

This may help you narrow down the issue.

Commented:
I am sure someone has already said this but I strongly strongly suggest pfsense.
CERTIFIED EXPERT

Commented:
IPSec and SSL VPN's (clientless and anyconnect client based) can all be setup and used concurrently on the ASA. If you are only looking to use this for a couple of users, the ASA comes with 2 concurrent SSL licenses. If you are running 8.3 in a failover pair, you will get 4 concurrent users as they are cumulative across the failover pair.

Author

Commented:
rbgCODE, I've never heard of it, looks like it's a software based open source firewall you suggest putting on client machines, right?  Thanks for the info.  

Commented:
no it is a firewall that you would run on a server that supports vpn but you can use windows built in software for the vpn connections.
CERTIFIED EXPERT
Commented:
You can configure the ASA to run IPSec sessions that are supported by the windows client aswell.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

The ASA can do most types of VPN supporting many different flavors of client.

Author

Commented:
Interesting.  To the main point of why I'm researching, would either of those solutions tend to be more stable?  
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
If the issue is IP overlap or the location where the person is denies/blocks VPN traffic, SSL VPN would often be the only choice since access to the secure web 443 is rarely blocked.
But it would not deal with the IP overlap.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.