VPN alternatives?

[GCS]

Well after 2 straight days of working with tech support with Verizon and Clearpath Networks it has come to our attention that the 2 may not work properly with one another.

Essentially in order to get the SNAP VPN box to work properly we have to be able to put the Verizon Fios modem/router into Bridge mode (Actiontec modem). Well once we do this we get errors with Fios, lost connections and VERY SLOW speed.

Once we connect the SNAP box in place things get even worse (speed wise). The VPN part works SUPER (much better than when we had DSL) but regular internet traffic and surfing is abyssmal.

Are there any other options out there that would work well with Verizon Fios? We have their 20up/20down plan.

Thanks in advance for any help.

FYI this is an accounting firm and we need to have something SAFE & SECURE for when we are working from home. Particularly right now (it's tax time of course).

Greg

 

[spidey07]

I'm still gonna recommend a cisco ASA or juniper/netscreen. They'll do anything you need them to do and they are meant to be beat on/run 24x7 365 days a year. Not a place to skimp IMHO.

Both can do SSL VPNs for remote sessions or you get a smaller model for a permanent tunnel.

 

[GCS]

I should add that what we use the VPN for is accessing the DATA in our office. We run all programs/applications locally on the computers in the remote locations but access the DATA stored on our server.

All remote locations have either Verizon DSL, Verizon FIOS, or Comcast High Speed Internet

Greg

 

[GCS]

Thumbing through some posts on Anandtech it looks like something like a Cisco ASA5505 might work?

Anyone have experience with them?

What we need is to be able to access the data on our server in the office from 3 remote locations (homes of the owners of the business who work from there - and yes I am one of them). As mentioned we run all programs locally and only access the data from the office.

VPN could potentially be used at up to 2 locations at a time for 8-10 hours a day.

Greg

 

[Crusty]

Originally posted by: spidey07
I'm still gonna recommend a cisco ASA or juniper/netscreen. They'll do anything you need them to do and they are meant to be beat on/run 24x7 365 days a year. Not a place to skimp IMHO.

Both can do SSL VPNs for remote sessions or you get a smaller model for a permanent tunnel.

/agree 1000%

Thumbing through some posts on Anandtech it looks like something like a Cisco ASA5505 might work?

Anyone have experience with them?

What we need is to be able to access the data on our server in the office from 3 remote locations (homes of the owners of the business who work from there - and yes I am one of them). As mentioned we run all programs locally and only access the data from the office.

VPN could potentially be used at up to 2 locations at a time for 8-10 hours a day.

Greg

We upgraded from a baseline Watchguard firewall to an ASA5505 and the difference is night and day. The Watchguard had several issues keeping our VPN tunnels up, half a dozen remote users, and 4 IPSEC tunnels and it would frequently drop connections/reboot on us when the load got too high. Got the ASA in, setup the config and we haven't had a single problem with it since then. In fact, the first time I ever had to power it down/reboot was when we were moving offices.

 

[kevnich2]

If you use VPN a lot, which it sounds like you do, Cisco is the way to go with this as Spidey pointed out. It's what we use for my remote office, and I am connected 5 days a week for about 9 hours a day (using the cisco anyconnect client)

 

[GCS]

Spoke with Cisco Live Chat and they are sending me some info. Online "product" chat was not very helpful unfortunately.

I do like the price point of the ASA series (about $500 I think). The Juniper stuff starts at over 1k and that's probably more than we really want to spend.

Thanks and keep the info flowing.

Greg

 

[Cooky]

We have Cisco and Juniper's security products and they all perform well.
Though you can get Juniper's gear for a bit less than Cisco's.

Juniper has SSG5/20, which shouldn't cost more than 1K.

 

[spidey07]

Just keep in mind it will take some skill to set it up. You're dealing with a security device/firewall/gateway/whatever whose sole purpose is "stop everything". Then you get to deal with network address translation (NAT) that by design the VPN is supposed to not allow (packet modified in transit), then you get to deal with path MTU detection problems and fragmentation.

This is not a "plug it in, click some things and you're fine" sort of thing. We'll help you through it.

 

[freegeeks]

Originally posted by: spidey07
Just keep in mind it will take some skill to set it up. You're dealing with a security device/firewall/gateway/whatever whose sole purpose is "stop everything". Then you get to deal with network address translation (NAT) that by design the VPN is supposed to not allow (packet modified in transit), then you get to deal with path MTU detection problems and fragmentation.

This is not a "plug it in, click some things and you're fine" sort of thing. We'll help you through it.

can't you use the cisco SDM with it?

 

[cmetz]

GCS, ask Verizon to switch you to the Ethernet (10/100) port built into the ONT. In your configuration, coming out of the ONT on MoCA and then setting the Actiontec router up as a bridge is just adding a lot of complexity, not value.

See the FIOS forum on dslreports.com for more info on getting them to switch you to the Ethernet port. FSC should be able to do it for you, but Verizon often suffers from the big-dumb-company problem and it's hard to find someone who knows how to do it.

 

[GCS]

Hmmm ... so connect my network cable direct to the box on the wall and bypass the modem completely?

I sure like the sound of that if that is what you mean.

Greg

 

[GCS]

Originally posted by: spidey07
Just keep in mind it will take some skill to set it up. You're dealing with a security device/firewall/gateway/whatever whose sole purpose is "stop everything". Then you get to deal with network address translation (NAT) that by design the VPN is supposed to not allow (packet modified in transit), then you get to deal with path MTU detection problems and fragmentation.

This is not a "plug it in, click some things and you're fine" sort of thing. We'll help you through it.

And there in lies additional concerns that I have. I just do not have the time to invest countless hours to set this up right now BUT right now is when we need it. Also everything you mentioned up above (NAT, MTU etc, etc) is all greek to me.

Ahh the joys of computers.

Greg

 

[kevnich2]

I believe in your other post where you were originally posting about the problems going from DSL to FIOS I recommended bypassing your actiontec modem completely and hooking it up. I am assuming you never did this? If the internet is coming through ethernet instead of MOCA from the ONT, you don't need the actiontec modem at all. If it is coming through the moca (coax) call verizon and have them switch it to the ethernet. The actiontec modem is a very cheap piece of crap hardware.

 

[Crusty]

Originally posted by: GCS

Originally posted by: spidey07
Just keep in mind it will take some skill to set it up. You're dealing with a security device/firewall/gateway/whatever whose sole purpose is "stop everything". Then you get to deal with network address translation (NAT) that by design the VPN is supposed to not allow (packet modified in transit), then you get to deal with path MTU detection problems and fragmentation.

This is not a "plug it in, click some things and you're fine" sort of thing. We'll help you through it.

And there in lies additional concerns that I have. I just do not have the time to invest countless hours to set this up right now BUT right now is when we need it. Also everything you mentioned up above (NAT, MTU etc, etc) is all greek to me.

Ahh the joys of computers.

Greg

Well, with the ASA's you get to use the ASDM GUI which will work for about 99% of what you need to do. It's nothing like traditional web GUIs though, so it'll take a bit to find your way around... but it sounds like it might be over your still since you mention not knowing what NAT is.

Aside from that the online configuration guides are pretty helpful, and it doesn't sound like your setup is all that complex so it really shouldn't be that bad.

Never touching a Cisco device before, I was able to setup an ASA with 2 WAN connections(one for IPSEC tunnels and a DMZ) and the other for local client internet access and it took me a couple of hours one weekend, but then again I was already familiar with lots of the networking concepts.

 

[Tommouse]

Originally posted by: GCS

Originally posted by: spidey07
Just keep in mind it will take some skill to set it up. You're dealing with a security device/firewall/gateway/whatever whose sole purpose is "stop everything". Then you get to deal with network address translation (NAT) that by design the VPN is supposed to not allow (packet modified in transit), then you get to deal with path MTU detection problems and fragmentation.

This is not a "plug it in, click some things and you're fine" sort of thing. We'll help you through it.

And there in lies additional concerns that I have. I just do not have the time to invest countless hours to set this up right now BUT right now is when we need it. Also everything you mentioned up above (NAT, MTU etc, etc) is all greek to me.

Ahh the joys of computers.

Greg

So are you looking to do LAN-to-LAN VPN tunnels? Or are you looking for Remote Access VPN? The differences are that L2L would be at the gateway and there would be no need to install VPN software on the computers that need to be connected. Meaning one VPN connection per site, but some sort of VPN gateway would be needed per site (IE ASA5505). RA on the other hand would have a separate VPN connection per computer as the VPN tunnel terminates on the computer and not a gateway. Sounds to me like you're looking for option #2 more than number 1 as you just need to have home users remote in.


Check these two links out
L2L Tunnel
http://www.cisco.com/en/US/pro...09186a0080950890.shtml
RA VPN Setup (for ASDM)
https://www.cisco.com/en/US/do...ick/guide/rem_acc.html

Which ever way you're looking at doing I (and many others on here) will be able to help you out. So when you bump into problems, and I'm sure you will. Post what you have going on and, as Spidey said, we will be here to help

 

[GCS]

Sorry I did not catch that in your post.

We have a cream colored box that has a battery in it (ie a UPS) and a standard Cat 5 cable is going from that to our modem then to the snap box then to the switch in our network.

No COAX here as we have not FIOS TV service in the office (TV is on Comcast)

Greg

 

[RebateMonger]

If by data you mean stuff like Word and Excel files, you could set up a SharePoint site. That allows shared access and management of data files without needing a VPN. Everything is done across an SSL-encrypted connection to a web site hosted by a Windows server.

 

[cmetz]

GCS,

>Hmmm ... so connect my network cable direct to the box on the wall and bypass the modem completely?

Yes, exactly this. Verizon's default setup these days is to have the ONT bridge the BPON data VC to a MoCA coax cable, then that goes to the Actiontec router which provides a PAT "router"/gateway function, though it can be configured to be a bridge. They do this because most existing homes don't have cat5 Ethernet wiring in convenient places, while many/most have TV coax. Verizon used to run one cat5 drop from the ONT to a reasonable inside location, and retrofit-wiring that turned out to take more time and more labor than every other part of the FIOS install put together - a big drain on VZ's techs. So they went to this MoCA coax kluge to save $$.

If you've got - or can get - cat5 Ethernet wiring straight to where the ONT is and can plug directly into the 10/100 port on it, you'll get rid of a lot of complex pieces that create ways to fail.

The one wrinkle in all of this is that the provisioning profile for the ONT tells it which port to light up and bridge the BPON data VC to. As far as I can tell, it's a mutually exclusive choice of the MoCA coax port and the 10/100 Ethernet port. So basically, you can plug a wire in right now - but it's not going to go anywhere. You need to get the Verizon techs to change the provisioning on your ONT to switch it to use the real Ethernet port rather than the MoCA. They will do it for you if you ask the right people, but like everything with VZ, getting the right people can be challenging. Again, check the dslreports.com FIOS forum for more info.

I believe that once you do that, you'll be a lot happier. Your stuff will probably work after that with no new gear needed. Even if it doesn't, you're still probably better off avoiding the whole MoCA/Actiontec setup.

 

[GCS]

Word files, Excel Files, Accounting Software Files, QuickBooks Files, Tax Software Files etc.

That is what we need to access in the office

Each person's home (where they will work from using the VPN or what have you) has several computers in it for all parties to use.

Example would be my home -- On Verizon DSL with a wired computer (me), 3 Wireless Laptops (wife, 2 kids), and an XBOX hooked up to it.

Currently I use the SNAP VPN Software on my end to tunnel into the SNAP VPN device in the office. I then go to start, run, then type in the IP address of the Server in the office. Map it to a drive on my machine and boom I am ready to roll.

I run any program I need locally on my machine but point the program to this Mapped Drive to retrieve, save etc the data.

Been working fairly well with no ill effects to the office until we switched to FIOS. Once we got FIOS the VPN worked MUCH BETTER due to speed but office internet capability dropped like a rock.


At the moment the SNAP device is removed 100% from the system (I bricked it trying to get the the VPN setup ... ooops --- they are sending me a new box on Monday) and we are SUPER FAST in the office (internet wise). This is what we need for the online services we access and use everyday all day. This is also how we communicate with IRS and the State Tax Departments as well to retrieve and submit e-file information.


Now we just need to be able to access the data in the office from home.


Is a VPN not the best, fastest, and safest way to do this?

Greg

 

[kevnich2]

Originally posted by: GCS
Sorry I did not catch that in your post.

We have a cream colored box that has a battery in it (ie a UPS) and a standard Cat 5 cable is going from that to our modem then to the snap box then to the switch in our network.

No COAX here as we have not FIOS TV service in the office (TV is on Comcast)

Greg

Ok, disconnect the actiontec from the picture and try going directly to your Snap box (Cat5 cable from ONT/cream colored box to your WAN or internet port of your Snap Box

I assume your snap box is a firewall/vpn router? If so, that should take care of it. Again, the actiontec is a piece of crap. If your snap box is NOT a firewall/router then look at getting another 3rd party router and putting that in place of the actiontec and the snap box behind it with the necessary ports forwarded to it for VPN

 

[GCS]

Originally posted by: cmetz
GCS,

>Hmmm ... so connect my network cable direct to the box on the wall and bypass the modem completely?

Yes, exactly this. Verizon's default setup these days is to have the ONT bridge the BPON data VC to a MoCA coax cable, then that goes to the Actiontec router which provides a PAT "router"/gateway function, though it can be configured to be a bridge. They do this because most existing homes don't have cat5 Ethernet wiring in convenient places, while many/most have TV coax. Verizon used to run one cat5 drop from the ONT to a reasonable inside location, and retrofit-wiring that turned out to take more time and more labor than every other part of the FIOS install put together - a big drain on VZ's techs. So they went to this MoCA coax kluge to save $$.

If you've got - or can get - cat5 Ethernet wiring straight to where the ONT is and can plug directly into the 10/100 port on it, you'll get rid of a lot of complex pieces that create ways to fail.

The one wrinkle in all of this is that the provisioning profile for the ONT tells it which port to light up and bridge the BPON data VC to. As far as I can tell, it's a mutually exclusive choice of the MoCA coax port and the 10/100 Ethernet port. So basically, you can plug a wire in right now - but it's not going to go anywhere. You need to get the Verizon techs to change the provisioning on your ONT to switch it to use the real Ethernet port rather than the MoCA. They will do it for you if you ask the right people, but like everything with VZ, getting the right people can be challenging. Again, check the dslreports.com FIOS forum for more info.

I believe that once you do that, you'll be a lot happier. Your stuff will probably work after that with no new gear needed. Even if it doesn't, you're still probably better off avoiding the whole MoCA/Actiontec setup.

Ahhh okay. Yeah I had done some research (back when we got FIOS) on how to get the Actiontec into Bridge mode and EVERYTHING that I read was do this and that because of COAX. Of course none of that applied to me since I have no COAX.


Looking at the box (in the building) the CAT5 wire is stripped and wired directly to the UPS box (no port). The outside box has ports on it as the tech showed it to me yesterday as a way of monitoring the system (from pole to building basically).

I guess I would need to plug into the port outside and then get the techs to reprovision me for this setup.

Would simply putting a coupler on the hardwired CAT5 cable and then plugging in my existing cable to my switch work as well?

Thanks -- you guys are being great with this networking challenged noob!!

Greg

 

[GCS]

Originally posted by: kevnich2

Originally posted by: GCS
Sorry I did not catch that in your post.

We have a cream colored box that has a battery in it (ie a UPS) and a standard Cat 5 cable is going from that to our modem then to the snap box then to the switch in our network.

No COAX here as we have not FIOS TV service in the office (TV is on Comcast)

Greg

Ok, disconnect the actiontec from the picture and try going directly to your Snap box (Cat5 cable from ONT/cream colored box to your WAN or internet port of your Snap Box

I assume your snap box is a firewall/vpn router? If so, that should take care of it. Again, the actiontec is a piece of crap. If your snap box is NOT a firewall/router then look at getting another 3rd party router and putting that in place of the actiontec and the snap box behind it with the necessary ports forwarded to it for VPN

SNAP box is a firewall router. It supposedly is done by the same people that do the encryption for ATMs (who knows).

Based on the above comments from cmetz I'll need to contact Verizon to reprovision me for this setup (ie no modem) and go from there.

I'll still need to wait for the new SNAP box since I killed it yesterday but if this works it would certainly fix things for us (I think). Only question would be is the SNAP box going to slow us down (ie is it also the the culprit in our slow internet along with the bad modem we did have).

Greg

 

[RebateMonger]

Originally posted by: GCS
Is a VPN not the best, fastest, and safest way to do this?

There is no single "best" solution. For small files, a VPN works well. For large files and databases, it's usually better to use Terminal Services and, essentially, run application software on a Terminal Server at the office. It's a lot faster and requires very low bandwidth.

Be aware that a VPN essentially takes your home PC and puts it directly on your office network. That means if somebody at home has acquired a worm or virus, it can make all the office PCs accessible to the malware attack. Manage your internal network structure appropriately, keep all OSes and applications up-to-date and patched, use firewalls on your internal PCs, and be sure that both internal and external PCs have Anti-Virus/Anti-Spyware software running.

 

[GCS]

All computers anywhere use A/V and spyware removal programs.

Thanks

Greg