Multiple VPN Tunnels Through ADSL Router to SBS 2003 RRAS

I suspect this is an issue that has hit others before. We have SBS 2003
Standard running at our head office. Our remote users have been
successfully connecting to the local network using "Connect to SBS" and all
is working fine. We have now consolidated 5 of our remote workers in one
remote office location. The users machines are all SBS domain members and
can independently connect to the SBS network at head office without any
problems what-so-ever.

Our problems arise when more than one remote user attempts to connect to the
network at Head Office from our new remote office. Having a relatively
inexpensive modem/router (Netgear DG834G) means that we have a router that
only supports the pass-through of a single VPN tunnel.

Question 1 - How have others overcome this limitation of inexpensive routers
and the support of only a single VPN Tunnel?

Question 2 - Does there exist a relatively inexpensive ADSL modem/router
that supports the pass-through (outbound) of more than a single VPN Tunnel?

Question 3 - Can we configure the DG834g router to act as an endpoint
(Latest Firmware enables VPN) and create a persistent vpn tunnel from the
remote office to RRAS and our Head office SBS network? If so,How?

Question 4 - We do have a license for SBS 2003 Premium but have not intalled
ISA 2004 - will our problems disapear and will be be able to connect from
our remote location using our Netgear router's VPN tools?

Question 4 - How have other connected remote locations to an SBS Network?
What kind of hardware etc?

Thanks in advance!

Steve

 

Been there, done that. Worked with Ciscos, Linksys, and SMC. Cisco is
expensive and not a simple setup. Linksys is infuriating because it is
missing pieces, and they sell you a non-standard VPN client. There are
whole web site dedicated to setting it up where you can get beta software
from Linksys. Go SMC, SMCBR18VPN for that application. Ugliest router
you've ever seen. Easy to setup, works reliably. Includes 8 port switch,
firewall, etc. $80. They make a 4 port too, but I never used that one.
Looks like the same router only smaller. As with any small VPN router, they
won't pass a lot of VPN traffic fast, and the more the tunnels the slower it
goes. By default it gives you transparent access to the internet and local
assets while in VPN sessions without requiring a Masters Degree in VPN
Mysteries to set it up. If you have trouble understanding the router, their
tech support works if you know BS when you hear it so that you can get have
the contact person get you an answer from someone who actually knows the
router.

Jack T.

 

Have you considered a single router to router vpn tunnel that extends the
network out to the remote office?
This works really well with the Linksys WRT54G Wireless G (which can be
disabled) routers (sub $50 each). They release the firmware open source and
many have improved upon the base code and include vpn server and client
aswell as vpn passthrough modes. I heartily recommend v23 firmware from
www.dd-wrt.com.

Caution if you decide to go this route, be sure to buy Linksys version 4
routers. New version 5 routers areout that do not support 3rd party firmware.

 

Another thing to consider would be a true firewall appliance. This might be
worth the extra cost given the extra security it provides in addition to
resolving your VPN issues - those under-$100 boxes are not designed to
provide perimiter defense to a LAN.

Installing ISA would resolve the security issue, although obviously without
improving a performance issue caused by a hardware device. When faced with
the VPN limitation you're up against in an inexpensive router, I went with a
Sonicwall TZ170, which works great. IMO you need that level of device if
you're not going to install ISA.

 

The WRT54GL model has been released that is still Linux based so you can use
it similar to the version 4. $20 additional cost from Linksys for this
capability, however!

 

those under-$100 boxes are not designed to provide perimiter defense to a

I would agree that the Sonic wall is a fine device. The SMB is also a
firewall similar to the other inexpensive routers such as the dlink,
linksys, and belkin. Explain what you mean by "perimeter defense". I have
not worked with the Sonic Wall, but I have the WatchGuard Enterprise
firewalls. The WatchGuard allows a lot better monitoring, policies, etc.
But it also means that there needs to be someone who understands it.

Thanks,
Jack T.

 

those under-$100 boxes are not designed to provide perimiter defense to a

Sonic wall is quite a popular device. The SMB is also a firewall similar to
the other inexpensive routers such as the dlink, linksys, and belkin.
Explain what you mean by "perimeter defense" and the risks.

I have not worked with the Sonic Wall, but I have the Watch Guard Enterprise
firewalls. Compared to the low cost routers, the Watch Guard allows a lot
better monitoring, policies, etc. Subscriptions keep you up to date, and
you can also do content filtering. But it also means that there needs to be
someone to understand and monitor it. Most people will not look at security
alerts much less respond to them even if they receive them unless they have
an IT department. I see low cost routers mostly as being less flexible but
they are set-and-forget.

Looking forward to your thoughts,
Jack T.

 

Yes indeed.

We have SBS 2003

I think the only possible way is by site-to-site VPN. I have reason to
believe that SBS itself does not support two VPN connections from the
same remote IP address. Site-to-site allows remote machines to maintain
individual IP addresses.

Don't know. I've only worked with older models.

I don't think ISA will help.

I have set up a W2000 workstation to VPN to an SBS and then allow
traffic between the networks, not just the W2K machine. It was necessary
to provide a VOIP service on existing hardware. The drawback is that by
enabling routing between the networks, the security of the SBS LAN is
reduced. When a single machine connects by VPN to SBS, other machines
on the remote LAN do not by default have access. As always, there is a
triangle: security-convenience-cheapness. Pick a point somewhere inside.