Vpn and router...why?

[Dark]

Hi, I've read a lot about vpn and I can't understand why the router connected to the LAN needs to support vpn. Considering the principle of tunneling, it seems to me that the "desencapsulation" process is done at the vpn server. The router sees just the protocol it used to. I know i'm missing something here.
I've read the article on praticallynetworked and a bunch of white papers from Ms but that particular issue is still bugging me.
Thx for helping

 

[Xanathar]

There are a couple of different VPN methods... You are thinking about a Client using the built in VPN sotware, or Secure Remote Where the end user ititiates an encrypted connection.

However the Router can also start an encrypted connection, and all information passing throu it is sent to the end server or another router. This makes encrption mandatory and transparent to the clients.

A common use for this is people are configuring routers with Point to Point enencrypted lines between offices (secure by nature) and then as a backup link setting the ROUTER to start a vpn connection over the internet with another router in the other office. This provides a secure backup link in case the first goes down.

 

[Dark]

Thx xanatar. I'll try a practical case to see if i can clear things up. Let's say I set Win2k vpn server and win2k pro as a vpn client. The server will be connected to the Ent LAN and behind the router. In this case, if i understood u, the router won't need to support VPN cos the encryption is initiated by the client or it should support "server passthru"?? Then, if the admin doesn't set the router to initiate the vpn connection there is no need for a vpn supporting router?
That server passthru thingy is driving me nuts...why isn't the process transparent to the router if tunneling is used? that's the question furhtermore, does the mapping of the tcp or udp port 1723 permit a connection to a vpn server behind ANY router, vpn supporting or not?

What about the ISP? does it have to support GRE? What is the minimum requirement to set a vpn then?
Many questions but bare with me plz

 

[Santa]

Correct me if im wrong. I do belieave a VPN ready or capable router just basically means it can setup the session itself without a server whereas some routers do not have this feature (not supported) you will need to port map yourself.

Me and my friend are trying to configure a VPN server inside a firewall/router and it has been a headache and a half for the port mappings are not working or configured correctly.

Being at my house and setting up a NAT server with software package Sybergen Access Server I read that it "supported" certain packages of VPN. After digging around in the setup and configuration files I found what their "supported" meant. It just meant that they preconfigured the port mappings to work correctly right out of the box and I am assuming this is perhaps what the meaning of some of the routers with the "VPN support"

I too am curious about this topic if someone who is more knowledgable about this were shead some light it would be most appreciative

 

[Dark]

Thx Santa...I'm waiting too for some expert advices too

 

[Dark]

Anyone?

 

[Dark]

Last call

 

[CTR]

For one thing, you can do a VPN between routers instead of between client and server. Less overhead on your client and server that way.

 

[Xanathar]

Dark, I think what you are refering to Is VPN Passthrou, which is simply the NAT box supporting the VPN redirection for clients. Almost all NAT operations support this nowadays, but there are still some out there which dont handle the redirected and encrypted information properly. Very similiar to passive FTPs, some NAT implemtations screw it up.

The router itself is NOT doing VPN, however if it is doing NAT, it DOES need to properly translate it. This is common where some NAT doesnt support it at all, some only supports 1 VPN client behind it, and some support as many as you like. for running a VPN SERVER behind a router/firewall/Nat box all you need to ensure is that the proper ports are fowarded, as as long as the box supports port fowarding, it will work.

 

[Dark]

Xanathar: dude, that answered EXACTLY my question. Now, i see why i was confused.
Thx for ur great help everyone.

 

[Santa]

yea Xanathar is great he has helped me out on many occasions..