Re: Need Help setting up a VPN Connection to my LAN

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash
Date:  
To: plug-discuss
Subject: Re: Need Help setting up a VPN Connection to my LAN
This sounds like yours does what is known as a "lan to lan"
configuration, or lan extension mode. Two subnets routing together, not
a "remote access" or client-based vpn, like a home-office extension to
work permanently. Not client-based vpn, which is probably what you're
looking for.

Normally what you want is to have a vpn device that acts as a
"concentrator" for clients running crypto software, initiate a
connection, set up virtual tunneling from your box to the concentrator
hub, and you now become an extension of the internal network from your
client/host. Yours sounds like it's meant to tie your subnet to a hub
device, which implies like two of these devices back to back across the
internet, not a windows box phoning home.

If you're looking for a good little vpn box, snipe an old cisco pix 501
unrestricted on ebay cheap (or buy-it-now for ~30-50 bucks), setup
client ipsec vpn connections with local accounts documented since the
beginning of time, free client software for every platform (native on
linux now with cvpnd/network-manager) and use that as it requires
minimal gui config. It supports 3des which is still fairly adequate for
clients, or you can find newer asa5505's for ~200-300 that do aes256,
certs, ldap auth (ad), whatever. Good/cheap device with tons of info
out there, and a built-in java gui wizard for setting it up that even a
windoze admin can figure out client vpn setup.

I'm actually looking to do this at the moment to stub off my mom's house
on a persistent tunnel lan extension to my network so I can
remote-manage her security and give access to my media stash. The
little pix 501's are good

Openvpn is good too, but more diy than you may like with certs and such
vs passwords. You can get the little ddwrt/tomato ap/router boxen like
asus n16's that can also install openvpn for this if you want a canned
solution.

There are other soho vpn boxes I've seen at frys and such, but they're
entirely "ymmv-ish" off-brand stuff usually. Not sure netgear or dlink
are really know for their prowess for vpn client function, but I think not.

-mb


On 06/24/2012 01:21 PM, Mark Phillips wrote:
> Stephen,
>
> Thanks....there are tons of options on the device. But I read that I
> need a vpn server on my LAN.....other posts say no.....Most of the
> information I found in forums is several years old, so I thought someone
> with more experience than me could point me to a better manual. I read
> this http://www.debian-administration.org/articles/489, but again it is
> over 5 years old, so perhaps there is a better solution?
>
> This is the manual page from the BEFSX41.....I am not completely sure
> which options to use. Plus, I assume I may need something running on my
> laptop - OpenVPN? Do I need a VPN server on my LAN, or something else,
> to be able to login to my different machines?
>
> Mark
>
> */VPN/**/Passthrough/*
>
> This Router supports IPSec, PPTP, and PPPoE Passthrough. You can select
> either*Enable*or*Disable*for these options.
>
> ------------------------------------------------------------------------
>
> */VPN/*
>
> *Select Tunnel Entry*- Select the tunnels number you want to set up.
>
> *Delete*- click this to remove any entries made for this tunnel you
> selected.
>
> *Summary*- Click this button to display the status of all the tunnels.
>
> *IPSec VPN Tunnel*- Select*Enabled*to create a tunnel or*Disabled*to
> close the tunnel.
>
> *Tunnel Name*- Once the tunnel is enabled, enter an arbitrary name for
> the tunnel you are about to create.
>
> *Local Secure Group*
>
> This allows you to grant local computer access to this tunnel.
>
> Subnet    This will allow all computers on the local subnet to access the
> tunnel. Enter the IP Address and Mask to allow access to the tunnel.
> IP Addr.    This only allows the local computer with the specified IP
> address. Enter the IP address you want to allow access to the tunnel.
> IP Range    This allows a range of local computers to access the tunnel.
> Enter the IP address range allowed to access the tunnel.

>
> * Remote Secure Group*
>
> This allows you grant remote computers access to this tunnel.
>
> Subnet    This will allow all computers on the remote subnet to access the
> tunnel. Enter the IP Address and Mask to allow access to the tunnel.
> IP Addr.    This only allows the remote computer with the specified IP
> address. Enter the IP address you want to allow access to the tunnel.
> IP Range    This allows a range of remote computers to access the tunnel.
> Enter the IP address range allowed to access the tunnel.
> Host    When this is selected, the settings will be the same as the Remote
> Security Gateway.
> Any     This option will allow any IP address from a remote location to
> access this tunnel.

>
> * Remote Secure Gateway*
>
> This sets the remote end of the VPN tunnel. You can either specify the
> IP address, Domain, or Any.
>
> IP Addr.    Enter the IP address of the remote tunnel you will connect.
> Domain    This option lets you enter the fully qualified domain name. If
> you do not have an IP address, you have an option to enter the domain of
> the tunnel you are connecting to.
> Any    This will will allow any tunnel connection to be established.

>
> *Encryption*
>
> DES    Data Encryption Standard (DES) is a type of encryption for this VPN
> tunnel. If you select this option, make sure the other end of the tunnel
> uses the same encryption type.
> 3DES    Triple Data Encryption Standard (3DES) is a stronger type of
> encryption for this VPN Tunnel. If you select this option, make sure the
> other end of the tunnel uses the same encryption type.
> Disable    This option will not encrypt for this tunnel.

>
> *Authentication*
>
> MD5    Message-Digest Algorithm (MD5)- Generates 128-bit message digest
> based on the input.  If you select this option, make sure the other end
> of the tunnel uses the same authentication type.
> SHA    Secure Hash Algorithm (SHA)- Generates 160-bit message digest based
> on the input.  If you select this option, make sure the other end of the
> tunnel uses the same authentication type.
> Disabled    This option will not authenticate for this tunnel.

>
> *Key Management*
>
> In order for any encryption to occur, the two ends of the tunnel must
> agree on the type of encryption. This is done by sharing a "key" to
> encrypt code. You can select*Auto (IKE)*or*Manual*.
>
> *Automatic Key Management*
>
> PFS    Perfect Forward Secrecy (PFS) ensures that the initial key exchange
> and IKE proposal are secure. This must be the same for both end of the
> tunnel.
> Pre-shared Key    Enter a series of number and letters that will be used as
> your key. This must be the same for both end of the tunnel.
> Key Lifetime    Enter a number of seconds for the life of the key.After the
> key lifetime expires, a new code will be generated. This much be the
> same for both end of the tunnel.

>
> *Manual Key Management*
>
> Encryption key    Enter a series of letters or numbers to generate an
> encryption key. This must be the same for both end of the tunnel.
> Authentication Key     Enter a series of letters or numbers to generate an
> authentication key.This must be the same for both end of the tunnel.
> Inbound SPI    Enter a series of letter or numbers to generate the Inbound
> SPI. This must match the outbound SPI on the other end of the tunnel.
> Outbound SPI    Enter a series of letter or numbers to generate the
> outbound SPI.  This must match the inbound SPI on the other end of the
> tunnel.

>
> *Status*- This will shows if you are connected or disconnected from the
> other end of the VPN tunnel.
>
> *Connect/Disconnect*- This button will connect or disconnect the other
> end of the VPN tunnel.
>
> *View Log*- This will show you the VPN activity when connecting and
> disconnecting.
>
> Advanced Settings
>
> Phase 1 is used to create a Security Association (SA), often called the
> IKE SA. After Phase 1 is completed, Phase 2 is used to create one or
> more IPSec SAs, which are then used to key IPSec sessions.
>
> Operation Mode
>
> Main    This is for normal operation and is more secure.
> Aggressive    This is faster and less secure.
> Username    Some require username to establish a VPN connection.

>
> Encryption    Select the length of the key used to encrypt/decrypt ESP
> packets. There are two choices: DES and 3DES. 3DES is recommended for
> security.
> Authentication    Select the method used to authenticate ESP packets. There
> are two choices: MD5 and SHA.  SHA is recommended for security.
> Group    There are two Diffie-Hellman Groups to choice from: 768-bit and
> 1024-bit. Diffie-Hellman refers to a cryptographic technique that uses
> public and private keys for encryption and decryption.
> Key Lifetime    Enter a number of seconds for the life of the key.After the
> key lifetime expires, a new code will be generated. This much be the
> same for both end of the tunnel.

>
> *Phase 2*
>
> Group    There are two Diffie-Hellman Groups to choice from: 768-bit and
> 1024-bit. Diffie-Hellman refers to a cryptographic technique that uses
> public and private keys for encryption and decryption.
> Key Lifetime    Enter a number of seconds for the life of the key.After the
> key lifetime expires, a new code will be generated. This much be the
> same for both end of the tunnel.

>
> Other Setting
>
> NetBIOS broadcast    Check this to enable NetBIOS traffic to pass-through
> the VPN tunnel.
> Anti-replay    Check this to enable the Anti-reply protection. this feature
> keeps track of sequence numbers and packet arrival, ensuring security at
> the IP packet-level.
> Keep-Alive    Check this to re-establish VPN tunnel connection whenever it
> is dropped.  Once the tunnel is initialized, this feature will keep the
> tunnel connected.
> If IKE failed more than x Times, block this unauthorized IP for y
> seconds.    Check this box to block unauthorized IP addresses. Complete the
> on-screen sentence to specify how many times IKE must fail before
> blocking that unauthorized IP address for a length of time that you
> specify (in seconds).

>
>
>
> On Sun, Jun 24, 2012 at 1:02 PM, Stephen <
> <mailto:cryptworks@gmail.com>> wrote:
>
>     Rtfm?

>
>     It really depends on what your options are in the vpn device are.

>
>     On Jun 24, 2012 1:00 PM, "Mark Phillips" <
>     <mailto:mark@phillipsmarketing.biz>> wrote:

>
>         I need to take my laptop on several road trips, and I need to
>         connect back to my home office LAN - all Debian machines. I am
>         on COX cable with a BEFSX41 router. The BEFSX41 has a VPN option
>         that I have never used. What do I need to add to my laptop
>         (Debian) to talk to my home office LAN securely (ie through a
>         VPN) using my BEFSX41? Obviously, I am a complete nube when it
>         comes to setting up VPN access to my LAN. I have googled for
>         some recommendations, but I have not found a good reference to
>         follow.

>
>         Thanks,

>
>         Mark

>
>         ---------------------------------------------------
>         PLUG-discuss mailing list -
>         
>         <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
>         To subscribe, unsubscribe, or to change your mail settings:
>         http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>
>     ---------------------------------------------------
>     PLUG-discuss mailing list - 
>     <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change your mail settings:
>     http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss