From: mike-newsgroup@-DELETETHISPART-.upcraft.com   
      
   Fred Marshall wrote:   
   > "Mike Drechsler - SPAM PROTECTED EMAIL"   
   >  wrote in message   
   > news:l4HMf.72751$Id3.63042@fe04.news.easynews.com...   
   >> Fred Marshall wrote:   
   >>> In other words:   
   >>>   
   >>> Can one run two VPNs through a Linksys router?  Which one?  Any other   
   >>> simple router model of any manufacture?   
   >>>   
   >>> Thanks,   
   >>>   
   >>> Fred   
   >>>   
   >> SNIP   
   >>   
   >> Yes   
   >> RV series   
   >> Too many to mention.   
   >>   
   >> Have you even bothered to look at the Linksys website? If it says VPN   
   >> endpoint then you can bet the device is limited to 1 or 2 simultaneous VPN   
   >> connections.  If it says VPN router then it's likely 50 simultaneous VPN   
   >> connections.  I would never suggest using any of these routers if you have   
   >> anywhere close to 50 simultaneous connections running.  But for connecting   
   >> a handful of sites it should work.  Perhaps if you had 50 home office   
   >> users that only access the VPN connection occasionally it might work but I   
   >> imagine even doing key renegotiations for 50 unused tunnels might stress   
   >> out a Linksys router.   
   >>   
   >> If you need to connect sites and you consider this link important then you   
   >> should get a consultant who has experience in this area.  Your diagrams   
   >> seem to indicate that you don't quite "get it".   
   >   
   > Mike,   
   >   
   > Thanks for the reply.  You're right, I don't quite get it.  So, I'm   
   > learning.  And, oh yes, I've looked at the Linksys website quite a bit.  My   
   > problem is mostly with the lingo which I'm picking up.  It's more difficult   
   > because there seem to be so many VPN schemes.   
   >   
   > I'm focusing on Linksys because I work with them often enough at the low   
   > end, it's what's installed and it's what one of our local ISPs uses.  We've   
   > discussed the RV series.   
   >   
   > Maybe you could clear up a nagging question for me:   
   >   
   > I see reference to "tunnel" and I see reference to "passthrough" and I see   
   > reference to "end point".  I have a pretty good idea what an end point is.   
   > But, I don't understand the difference between tunnel and passthrough.   
   >   
   > My problem with what I find on the Linksys website is that it seems to talk   
   > about the devices as VPN end points but not so much about passthrough.  For   
   > example, I can find that there are some of their products that will support   
   > only one VPN passthrough at a time but no mention, except by implication, of   
   > products that will support more than one VPN passthrough at a time.  Oh yes,   
   > they talk about more than one end point being implemented but not clearly   
   > more than one passthrough.  So, it's not a dumb question.   
   >   
   > One of my problems is that I don't maintain a "lab" where I can buy a bunch   
   > of stuff and try it out.  I have to be conservative in selecting devices   
   > because I want them to work when I put them in the network.  But, I may have   
   > to just buy one or two of the RV devices for learning.   
   >   
   > The architecture I had in mind when I wrote the original post was to   
   > continue using a NAT device at the front end and to have VPN end points and   
   > the LAN Internet firewall inside of that device.   
   >   
   > Yes, one can ask "why?".  It's because there was a desire/need in the   
   > original architecture to have a cascaded NAT firewall arrangement.  It's   
   > what was implemented and I'd hoped to keep the configuration unless it's   
   > more trouble than it's worth.  And, presumably it would limit the number of   
   > static public IP addresses we'd need.   
   >   
   >  My hope that the VPN operations would be transparent to the NAT device (or   
   > vice versa) - but I have some doubts.  I guess an RV at the front end would   
   > handle this configuration in a routing table - which isn't transparent but   
   > would be just fine.   
   >   
   > Fred   
      
   Passthrough means that the router has absolutely no VPN capability built   
   in.  It simply will allow someone inside the network to use VPN software   
   without blocking the connection.  "The connection passes through the   
   router".  This also assumes that the VPN endpoint you are connecting to   
   supports the address translation that is applied when it passes through   
   the NAT router so it's no guarantee that a link could be established.   
   The reason that it usually only supports a single connection to pass   
   through is that if you had 2 internal computers trying to connect to the   
   same VPN server it wouldn't be able to tell which computer to send the   
   inbound traffic since IPSec traffic (the VPN protocol most people use)   
   is not transmitted using ports like TCPIP so it cannot look at the port   
   numbers to determine which computer the packet is intended for.   
      
   Tunnel is basically another word for connection.   
      
   Endpoint is a device actually participating in creating the connection   
   or tunnel.  In this case the device supports the VPN protocol and is an   
   active participant in the connection.   
      
   There is not going to be much difference between the linksys router that   
   only functions as an endpoint and the one that functions as a router   
   except for capacity.  The endpoint device simply doesn't have software   
   to support more connections and it likely is also too slow to support   
   more than the 1 connection it supports.  The other devices may have   
   special chips to speed up the encryption so that they can support more   
   simultaneous tunnels.  Encrypting the data can be very intensive on the   
   processor.   
      
   Most VPN implementations will require a static IP on your VPN gateway.   
   The IP address becomes part of the identity of the device when building   
   the connection.  You can think of the IP address as part of the username   
   if you will when the devices connect with each other.  If you create a   
   static IP main mode VPN connection (A technical VPN term) then the two   
   endpoints will reject inbound connection attempts from IP's it does not   
   recognize.  At the very least you will need to forward the ports the VPN   
   needs anyhow so you aren't actually more secure with NAT in front of the   
   VPN endpoint since the traffic it's listening for just gets forwarded   
   anyhow.  Unless there is some hidden port the VPN router is listening on   
   this really will not improve the security of your VPN device.  Because   
   you would need to use an aggressive mode connection to support the NAT   
   you would actually be lowering the security of a site to site link   
   (although the reduction is fairly trivial)   
      
   The RV device would go directly to the modem, you would dump the old   
   device completely from the picture.  The VPN gateway would be your NAT   
   as well as a VPN box.  You can connect a VPN in parallel to an existing   
   firewall, but in your case the firewall it's replacing doesn't give any   
   exceptional benefit so there's not much point in running in parallel   
   like that.   
      
   If you need to gain experience you could probably find some cheap gear   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)