VPN Part 104 Dec 2005
I've always been somewhat intimitated by VPNs. I've never really used them myself, being content with openssh-tunnels for my work. At my old company Netlife I inherited an IPSEC site-to-site VPN to a branch office, but I never had to touch it until we shut the office down.
VPN was on my initial to-do list at nu2m, and I was happy to find the open-source firewall m0n0wall with PPTP and IPSEC VPNs included onboard. We don't need VPN for our remote offices, as our provider organizes their DSL lines behind our firewall (using VRF, virtual routing and forwarding). PPTP works fine for individual users, they just need a username and a password, and a client is included in both Windows and OS X. I can assign them IPs and control where they can go in m0n0wall. By default the clients direct all traffic to the internet through the VPN, which is fine for occasional users. Heavy user have to set up their own routes.
PPTP on m0n0wall has its drawbacks, though. The Berlin office had a Windows VPN server of its own, and we were never able to connect to it after they were behind the firewall. M0n0 insisted on grabbing all PPTP traffic for itself. (The workaround was to set up logins for Berlin on our VPN server.) And we were never able to run more than 1 PPTP client behind the firewall at one time, something do with the the magic of GRE packets. As for IPSEC, I was never able to get it to work. I could connect, but I couldn't reach any hosts beyond the firewall. I suspect that with 2 firewall hosts and the VRF, our network is like Shrek's onion. It has too many layers.
We now have a partner that needs several clients to connect to our LAN simultaneously. PPTP doesn't cut it, because their firewall allows only 1 PPTP client at a time. So I'm going to have to overcome my intimidation and come up with a way to slice the onion. I think I've found the ginsu knife to do it. More on that later...