I'm evaluating methods of implementing an IPSEC VPN solution for my office, but I'm not very familiar with that technology, so I have a number of questions I would like to ask in regards to implementation.
We're pretty cheap, so I've been using an SSH gateway as a VPN. Our users SSH in, authenticate, and then port forward VNC from their office desktop to their home computer. We don't give access to our internal mail server to users from the outside, so the only way users check their mail is by SSH-VNCing to their machines, and doing it from there. Only problem is, this is rather cumbersome and users have been complaining.
Now my understanding of how an IPSEC VPN would work is as follows:
1. User connects and gets authenticated to IPSEC VPN.
2. Once authenticated, the user will be assigned an internal IP that gives them access to resources on the internal network.
My questions about this are as follows:
1. Since we restrict a lot of traffic at the gateway router with ACLs, what ports would I need to open / port map to the VPN appliance to allow this to work?
2. On the user end, once a connection is made, is all traffic forwarded through the encrypted connection?
3. How is performance? One of the biggest complaints with our current solution is that remote desktop access is slow. Of course, that's a constant stream of traffic being tunneled through. How would performance compare on a broadband connection? How about a dial-up?
4. Are there any issues with IPSEC and port mapping? All internal machines (anything below the router), even those on the internal DMZ have private addresses. All services that must be accessed from the outside are portmapped from the public IP on the router. I know certain protocols (such as H.323) don't like this type of setup.
The solution we're currently looking at to implement is a VPN 3000 Concentrator and VPN clients on home machines.
Sorry if some of these questions sound elementary; I've never dealt with IPSEC before until recently. Thanks for any clarifications.
1. VPN technologies consist of IKE protocol and IPSec protocols. IKE is using UDP port 500 and IPSec are using "protocol 51" for IPSec AH and "protocol 50" for IPSec ESP. Seems like current devices are only implement ESP, so you may only need to open "UDP port 500" and "protocol 50" at the firewall.
(ESP is not port 50 , it is just protocol 50).
2. Depend on vendor implementation. For VPN3000, you can use "Split Tunnel" which allow a user to have encrypted traffic to the IPSec tunnel and un-encrypted traffic to the Internet.
3. Right now I am using ADSL 8M with a split tunnel for encyrpting my traffic to the company . Doesn`t seem to be slow here. YMMV
4. IPSec over UDP (or IPSec over TCP) does solve the port-mapping problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...