Choice of VPN approaches.

I have an office using a Netgear router and Netgear VPN client software on the client computers.  This has been running more or less fine for a couple of years.  But lately there have been sporadic reports that the clients can't "connect" which I assume means the tunnel won't come up all the time.

This has led to a discussion about using the Windows VPN capability on the office file server as a VPN server and using the Windows VPN client on the client computers.  
I know this will entail port forwarding on the router and a DynDNS URL.
I guess the assumption has to be that the Netgear implementation is faulty and this will fix it.

I want to be proactive and willing to try things.
I know I could use something else like UltraVNC but I don't particularly want to go there.
Any "gotchas" switching from router-based to internal Windows VPN server-based (on a Windows 8.1 workstation / file server)?
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I stopped using Windows VPN some years ago. I prefer (and use at ALL clients) a hardware VPN router. Normally I use Juniper Netscreen and sometimes Cisco RVxx entry level commercial. I use IPsec to make tunnels.

I use Site-to-Site IPsec Tunnels (both the above support this and cooperate with each other).

For remote client access we use NCP Secure Entry exclusively now. It is not free or even cheap, but it is best of breed and the newest client (V10+) supports Windows 7, 8.1 and 10. I have it running on Windows 10.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael ChisholmCommented:
In my opinion if you can prevent traffic from entering you network before it is authenticated that is your best security.  Traffic exploits and security risks are all over if you do not setup the Microsoft VPN properly with external certificates and ipsec.  I have used a lot of different firewalls and clients over the years and found watchguard to be the most flexible considering price per feature.  Fortigate would be my next choice.  Having these devices broker the security and authentication at the perimeter provides your optimal solution with the best security.  I am not a fan of netgear products as they tend to slow when performing more then one task.  If you want more information send me a message and i can demo the solutions for you. p.s. I am not a sales person for either company nor do i have any affiliation. I do on the other hand know what works and that it works well.
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
Microsoft VPN is not the best option.. I can relate to your Netgear woes.. I ended up switching to a Sophos UTM appliance.. works flawlessly and reasonably priced.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Fred MarshallPrincipalAuthor Commented:
Well if the Netgear/Netgear Client setup is questionable, is it more likely the router or the client softare?  I'd like to keep the router if possible but would surely consider a different client program.
Michael ChisholmCommented:
I would question the router personally.  I have an FVS318 that I used with a network the would need to be restarted and clients would fail.  I moved to another brand and this issue no longer persists.
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
Agreed.. that router is fine for general use but leaves much to be desired for client VPN
Fred MarshallPrincipalAuthor Commented:
How about RV042?
Michael ChisholmCommented:
This is more of a consumer type device.  If you are looking for inexpensive Sonicwall TZ 215 or the watchguard WatchGuard XTM 3 Series or WatchGuard XTM 2 Series

You want to make sure that the device can handle the internal traffic as well as the external. especially the unsolicited traffic that can over run cheaper units.
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
Agree with Mike. You should be looking at something more business centric. Sonicwall is a popular option.
JohnBusiness Consultant (Owner)Commented:
Cisco RV models are strong devices and not consumer machines. They will have a small business environment. So also will Juniper Netscreen.
Michael ChisholmCommented:
All of the reviews that I have found and read about this device despite that it is a links re-branded with Cisco labeling. They complain about the VPN dropping wile in use.  Those who rate the device high don't appear to be using the VPN portion. I do agree that the juniper units work very well. I have at least two of them in clients offices currently.
JohnBusiness Consultant (Owner)Commented:
I have a Cisco RV325 in my home office (and RV042G  before that). Site to Site tunnels stay up for months on end. I have been doing this for years now. I connect mostly to Juniper with a couple of other RVxx units. I keep firmware upgraded.
Fred MarshallPrincipalAuthor Commented:
Thanks folks.  

The VPN will be client-to-site so the client software will always be a question.  I followed up on John Hurst's recommendation for NCP Secure Entry at $144ea.  Other comments?

I have plenty of experience with site-to-site but much less with client-to-site with RV0xx and some with Juniper Networks SSG and SRX.  So, one question about the client-to-site setups.  With the current Netgear, (in addition to the remote subnet where the client resides), and unlike site-to-site VPNs, there's a subnet for the clients that's set up in the VPN router that's different from the central LAN subnet.  Then each client manually self-specifies an IP address on that 3rd subnet.
In some sense (e.g. Windows firewall) it would be simpler if the subnet of the client machines VPN IP addresses were in the central LAN subnet.  
So, am I missing something here?  What's the notion of this 3rd subnet (in the broadest sense)?  Is it necessary for it to differ from the central LAN subnet?
JohnBusiness Consultant (Owner)Commented:
Any of the Cisco and Juniper units I have used (ten years now) support both client to site and site to site.

NCP Secure Entry is not cheap, but is simply best of breed and includes NAT Traversal and this trumps cheaper ways.
Michael ChisholmCommented:
If you choose to spend 144.00 e.a for the NCP why not spend 600.00 total for a firewall with IPSec and it includes the client with the device. Most of your higher end (mainstream manufacturers not automatically expensive ) units include a client for free if you purchase the devices. I currently have 10 building and 1800 users over the last 15 years using firewall provided clients for VPN. The devices were upgraded from sonic wall 2040 firewalls to watchguard XTM devices for the added features.  What John is proposing is an acceptable answer but is it the complete solution.  You may want to look a little further just to be sure.  Again, I am not taking shots at John I agree that his solution will satisfy the task I just want to make sure this is the complete solution that you are looking for.
JohnBusiness Consultant (Owner)Commented:
Multiple licenses for NCP are under $100 for 10 licenses.
Michael ChisholmCommented:
Why use a third party software for a firewall when you can get a client with the same manufacturer.  You will never have the he said she said between vendors.  You always have the potential of the firewall taking a needed update the the client doesn't support until you upgrade the client. Watchguard will upgrade the client during the connection if there is a change in the firmware that is not compatible.  You can also setup client sign in and they can setup the VPN on their own without the needed help of IT.  Its a client side website built into the watchguard over SSL and after the user logs in to the site there is a button to click and the client is downloaded directly to the machine.  I deployed 200 clients without having to touch a single system.
JohnBusiness Consultant (Owner)Commented:
Any VPN client application I have used from the Hardware vendor fails at NAT Traversal. I have client affected by that and they willing purchase NCP because it saves time for expensive people. That is why in a nutshell. You get what you pay for.
Michael ChisholmCommented:

You have used , in my opinion, inexpensive hardware that is used for very small (3 to 5) users offices.  I am just making suggestions to satisfy  the needs of Fred Marshall who posted the question. I agreed with you that Juniper makes a quality device.  I am not a fan of netgear or Linksys (re-branded) cisco lower end devices.  These are my opinions about the solution and I am sure the solution you provided will satisfy the need but again is it the complete solution.  Thank for taking the time to provide insight and offering your knowledge for free. This is why I use this site and find it a great resource.

 Fred Marshall,

I have marked your question as a good one and feel this is an issue a lot of IT consultants/IT Leads deal with on a regular basis.  What is the best for the dollar you are spending.  Good luck with what ever you decide and may the solution you choose be the proper one to satisfy your needs. Please post your choices and experiences for other struggling with these choices.

Good Luck.
JohnBusiness Consultant (Owner)Commented:
Cisco RVxx are good to the 10 user level and very robust. I also (check above) recommended Juniper Netscreen (good to 50 and above) and Juniper are also very robust.

I never used free Cisco VPN software. I used paid Juniper Netscreen software (roughly half as expensive as NCP) and it could not handle NAT traversal (hotel rooms if the reader does not understand the implications). I also used SafeNet for Vista by SoftRemote (Juniper supplier in 2008). This was 2x the cost of NCP and could not handle NAT Traversal. My Nokia CS-18 Internet key uses NAT Traversal by design, so this aspect is critical.

People can always do what they wish. I use what works.
Fred MarshallPrincipalAuthor Commented:
What about the subnet question folks?
JohnBusiness Consultant (Owner)Commented:
there's a subnet for the clients that's set up in the VPN router that's different from the central LAN subnet.

With Juniper Netscreen, I think you can have more than one subnet at a site.  For RV042 (that you are very familiar with, I think it just has one subnet in a site. I would have to check and I am not near one for several days. But I think it is just one.
Fred MarshallPrincipalAuthor Commented:
I'm referring to the IP address for the client which is not in the central LAN subnet.
And, I'm not referring to any VLANs or equivalent that may be set up on the central router.
Fred MarshallPrincipalAuthor Commented:
I just installed the Netgear ProSafe VPN Client on a Windows 7 machine and it connected to the Netgear FVS336Gv2 right away.  
However, a Windows 10 system on the same network with the Windows 7 machine above, didn't work.  Same configurations in both.....
So, it's not the local remote routers, it's not the Windows firewall (if Win7 and Win10 would be equal), it's something else

But what could that be???
JohnBusiness Consultant (Owner)Commented:
You are saying the Netgear Prosafe VPN client does not work on a Windows 10 machine. Is that correct?  

So then the Netgear VPN client is not Windows 10 compatible.
Fred MarshallPrincipalAuthor Commented:
John Hurst:  Yes, one could reach that conclusion.

However, I now have 3 Windows 10 machines.
- two of them don't connect at all.
- one of them does connect but has problems of dropouts and that's the one I started on.
So, even that's not consistent....
The results suggest that it *can* work on Windows 10 but when it does there are either weaknesses or, as yet, unknown tweaks needed.
Forum correspondence with Netgear suggests there is hope but hasn't gone beyond "try this / try that".
Fred MarshallPrincipalAuthor Commented:
All good comments.  Thanks!

In the end we updated the FVS336Gv2 firmware and it appears that the latest two versions of the Netgear client work with it.

I still don't know why there's a separate subnet... But, I suspect it's for the *remote* IP for the connected clients as seen by the central site router.  It's easy to miss this in the mess of things to be configured.
JohnBusiness Consultant (Owner)Commented:
Thanks for the update and I was happy to help.
Michael ChisholmCommented:

Clad to see everything worked out for you.  Good call on the firmware and a fix for your needs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.