Monday, August 25, 2008

VPN Woes

Have I told you about my VPN problems? No? Well, sit down a spell and have a listen.

When it comes to my company, we've got two types of VPNs, really. There are the site-to-site VPNs, which connect, well, sites. My office's router (a cluster of Juniper Netscreen 5GTs) have VPNs set up to each of the other sites. It's sort of a mesh configuration, since every site has every other site connected via VPN policy, but with only a few locations, this isn't too unbearable. I'd rather have an MPLS network, but hey, I take what I can get.

The real problem becomes user VPNs. See, we've got a primary site and a secondary site, and something like 15 users who each need to be able to connect to both locations. This means that I've got to maintain 30 accounts on the firewalls, AND 15 user machines which connect up. Neither is fun, but the user machines are the worst part.

We use Juniper Netscreens for the VPNs, and our Mac users typically use VPN Tracker or IPSecuritas. VPN Tracker is easy to set up , and commercial. IPSecuritas is free, but much harder to configure. Both do work, however, which makes them better off than our Windows users. Our Windows users are burdened with Netscreen Remote, and an old version, at that. It's just generally bad. It gets confused a lot, and requires reboots to clear the IP configuration so that traffic actually reaches the VPN. Sometimes it will die a slow death; the other day I had a user who could connect to most of the resources on the VPN...then they could only connect to a couple. By the end, the only thing they could reach was the jabber server, over which they were talking to me. A reboot fixed the problem, of course. Lots of times, we'll have people who can get email, can ping everything, but can't SSH into anything.

To fix these strange, strange issues, I'm trying another solution: an SSL vpn.

You might know that IPSec operates over UDP port 500, and requires installed software to be configured beforehand. Basically, an SSL vpn differs from an IPSec VPN by transmitting the traffic over encrypted web-traffic, to port 443 on the VPN device. This allows the client to connect to the VPN merely by visiting a webpage and authenticating themselves. At that point, a java or activeX program is downloaded and installed which acts as a pre-configured VPN client which transmits internal-destined traffic over the SSL tunnel. Anyone who tells you this is a "clientless" operation is lying. The client is just downloaded on the fly.

Anyway, the device I'm going to be using is the Netgear Dual Wan Gigabit SSL VPN. I honestly have no idea if it will work or not, but I'll be sure to let you know.

I'll probably be testing it later this week, so the update on it should come next week.