Re: WRT54GL with DD-WRT VPN firmware - where's the beef?

I'm top-posting this because your reply has revealed to me just how little I
know about this stuff, and I found out things today at the customer site
that might take all this into a different direction.

First, the reason I was thinking "wireless" in the first place (and thus
posted here) was because there is a WRT54GL wireless router in the remote
office. I thought with the right firmware I could use that box to establish
a connection to the Sonicwall in the home office. So, you're right, this
isn't a "wireless" issue, at all. It's a VPN/connectivity/networking issue.
The box in question just happens to be wireless. The DD-WRT firmware came
to mind because I've used it many times for non-vpn applications - and, of
course, because it's free.

And I'm not really concerned about security (within reason, of course)
across the link. In truth, the file to be shared is not all that sensitive
anyway. I don't mean to sound careless; it's just that the document isn't
of a critical nature. It's a list of inventory. A hacker would have very
little use for it. Having said that, I want to take steps to be reasonably
secure.

Prior to my trip up there today, my goal was fairly straightfoward: The two
people in the remote office need to access an Excel spread*** that is on a
computer in the main office. The main office has about 12 computers in a
workgroup. The spread*** is updated daily by an admin person, and
personnel use it to check stock levels. There is no "server" of any real
kind in the organization. It's peer-to-peer all the way.

The suggestion of a software VPN client (by you and another poster) is a
good one. I've done that several times with good results. [by the way, the
Netgear Prosafe VPN client works well with Sonicwalls in a GroupVPN SA using
a preshared secret]. The only reason I wanted to attempt a
hardware-to-hardware arrangement is that the customer has expressed a desire
to put one IP phone in the remote office, connected to the main office using
an MCK gateway and branch product. I've done these several times, with
varying success. DSL upload speeds are not ideal, to say the least, but
with compression and some amount of QoS on the LAN side (can't do anything
about it after that point, of course), I've managed to get 1-2 IP phones to
behave enough for inter-office communications.

Anyway, I found out today that they want 2 IP phones. That concerns me over
DSL, but with the right wording in the contract I'm willing to give it a go.
So what I really need is not so much a "vpn," but, rather, a nailed-up
connection over internet (is that the same thing : )).

So, I ask the knowledgeable folks here: What do I do?

thank you,

jm














"Jeff Liebermann" <jeffl@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:79bv13la9nrj836onlr3etcflbef4didkm@xxxxxxxxxx
"JM" <jake@xxxxxxxxx> hath wroth:

What I'm trying to accomplish is access to a shared file in the main
office.

Secure file sharing does not require that the VPN be terminated at the
wireless access point. It can also be terminated by whatever you're
using for a server. If you're concerned about someone sniffing the
*WIRED* part of your network, then end to end VPN is the right
solution. If only the wireless part is a problem, methinks you have
everything you need. Unfortunately, the TZ170 is a series of models
with various fallback, VPN, wireless, "enhanced" SonicOS, etc features
added (or missing).
<http://www.sonicwall.com/downloads/TZ_170_US.pdf>
I think one of these versions supports router to router VPN (2 nodes
or 10 clients) without additional software upgrades. However, that's
for IPSec and not for PPTP.

The remote office has two PCs that need access to an inventory spread***
on a workgroup PC in the main office. The home office has 12 channels of
T1
for internet, and the remote office has business DSL from Bell.

Where does the wireless come into the picture? This sounds like a
wired solution?

The Sonicwall model in the main office is TZ 170, not sure of the hardware
or firmware release (will get that later).

Given this relatively modest need (?), what solution would you recommend?
I
even have access to another Sonicwall (SOHO3), for a couple hundred bucks.
It's just that they already have the Linksys in the remote office.

Well, there are many options depending on how much money you want to
spend. I was going to suggest that you simply purchase another $600
Sonicwall TZ170 and build a VPN network, but that might be a bit
pricy. It would follow your original plan of router to router VPN
essentially creating one big network out of the two offices.

However, for just two clients and perhaps a few printers, this is
overkill. The easiest way is to setup the TZ170 for IPSec VPN
termination, and use a Windoze (or 3rd party) IPSec client on the two
computahs. Sonicwall VPN client:
<http://help.mysonicwall.com/applications/vpnclient/>
You can also use open source VPN clients or get the Sonicwall client
from other sources (SafeNet). I also use the Checkpoint and Cisco VPN
client without much difficulty. (Note: Neither currently works with
Vista). Also, PoPToP for PPTP under Linux.

I should warn you that the Sonicwall client is a bit feature infested
and will take some documentation reading or trial an error to
untangle. Also, if security is the prime concern, then try setting up
Sonicwall "Zones" to isolate casual users from the main server.

If this VPN arrangement is going over DSL, you may have a performance
problem, especially if your DSL upload speed is slothish. Basically,
the VPN runs at the speed of the slowest connection. I'm not sure
what you mean by "12 channels of T1". Is that 12ea 128Kbit/sec bonded
DS0 channels, a PRI (primary rate inteface), or 12 individual T1
lines? At 128Kbits/sec, it's gonna be really slow. At T1 speeds, no
problem.

Another possibility is to terminate the VPN in a Windoze or Linux
server. That could be the unspecified machine that is doing the
serving. PPTP server comes with W2K Server. IPSec, L2TP, and IPSec
servers come with Windoze Server 2003. The big advantage to
terminating at the server is additional security on the wired part of
the network, and the ability to use the very simple PPTP client
supplied on every Windoze client installation.

Anyway, you have several options depending on how you want to organize
this system. However, before you proclaim anything to be a solution,
I suggest you try running a VPN through your DSL/T1 connection, and
evaluate the performance issues. Many applications just don't like to
run this way and many data connections just aren't fast enough to be
useful. You may find that a remote desktop solution (PC Anywhere,
VNC, Windoze remote Desktop) to be faster or better. Once you
determine if the datacomm part of the puzzle is suitable, then
continue with the project.

--
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558



.

Quantcast