Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Questions

I'm evaluating methods of implementing an IPSEC VPN solution for my office, but I'm not very familiar with that technology, so I have a number of questions I would like to ask in regards to implementation.

First the architecture of what I'm working with:

|Internet| --> |Cisco 2621| --> |OpenBSD FW| --> |Internal Network|

--> |VPN DMZ (Currently SSH)|

We're pretty cheap, so I've been using an SSH gateway as a VPN. Our users SSH in, authenticate, and then port forward VNC from their office desktop to their home computer. We don't give access to our internal mail server to users from the outside, so the only way users check their mail is by SSH-VNCing to their machines, and doing it from there. Only problem is, this is rather cumbersome and users have been complaining.

Now my understanding of how an IPSEC VPN would work is as follows:

1. User connects and gets authenticated to IPSEC VPN.

2. Once authenticated, the user will be assigned an internal IP that gives them access to resources on the internal network.

My questions about this are as follows:

1. Since we restrict a lot of traffic at the gateway router with ACLs, what ports would I need to open / port map to the VPN appliance to allow this to work?

2. On the user end, once a connection is made, is all traffic forwarded through the encrypted connection?

3. How is performance? One of the biggest complaints with our current solution is that remote desktop access is slow. Of course, that's a constant stream of traffic being tunneled through. How would performance compare on a broadband connection? How about a dial-up?

4. Are there any issues with IPSEC and port mapping? All internal machines (anything below the router), even those on the internal DMZ have private addresses. All services that must be accessed from the outside are portmapped from the public IP on the router. I know certain protocols (such as H.323) don't like this type of setup.

The solution we're currently looking at to implement is a VPN 3000 Concentrator and VPN clients on home machines.

Sorry if some of these questions sound elementary; I've never dealt with IPSEC before until recently. Thanks for any clarifications.


New Member

Re: VPN Questions


1. VPN technologies consist of IKE protocol and IPSec protocols. IKE is using UDP port 500 and IPSec are using "protocol 51" for IPSec AH and "protocol 50" for IPSec ESP. Seems like current devices are only implement ESP, so you may only need to open "UDP port 500" and "protocol 50" at the firewall.

(ESP is not port 50 , it is just protocol 50).

2. Depend on vendor implementation. For VPN3000, you can use "Split Tunnel" which allow a user to have encrypted traffic to the IPSec tunnel and un-encrypted traffic to the Internet.

3. Right now I am using ADSL 8M with a split tunnel for encyrpting my traffic to the company . Doesn`t seem to be slow here. YMMV

4. IPSec over UDP (or IPSec over TCP) does solve the port-mapping problem.