Tough VPN question...

[tmeader]

What I really need is some product advice. My significant other and I will both be connecting to a VPN at work using Cisco's VPN client 4.03. I've gone ahead and purchased the Netgear WGR614v4 since I wanted wireless G as well. I haven't been able to test this yet though, but I have testing with my Linksys BEFSR41. Both these routers allow for two simultaneous VPN IPsec Tunnels, so this isn't my concern. What I'm worried about is the ability to connect to the exat same ENDPOINT through those two tunnels. I've heard reports about the D-Link 624, which also supports multiple IPSec tunnels, that as soon as you connect to the same endpoint with a second VPN connection, the first gets dropped. I haven't been able to find info about this situation ANYWHERE on the internet. Even the support sites for Linksys and Netgear make no mention of VPN endpoints (that you are connecting TO). I'm desperate for some product info for this. Can anyone help me out here?

Thanks in advance.

 

[knucklebusted]

The problem is that most VPN connections to Cisco, say a PIX are UDP not TCP. That confuses everyone so only one connection per IP address. There are ways to accomodate your problem. I'll try to list them as least effort to outside help from your tech folks.

Method 1: Alternate Server IP - Guaranteed to work for 2

If you are connecting to VPN Concentrators, you may have better luck. There is a thing called load balancing. When you connect, does it say load balancing and then shift off to another address?

To find out if you have one address configured and are being "balanced" off to another, compare the name/address in the profile with the IP address listed in the Status/statistics screen. If so, your company may have more than one VPN concentrator and you'll possibly be able to select one IP for yours and another for the SO.

Cost = Free

Method 2: Alternate Protocol - Works for me but...

If you are using a VPN concentrator, you can select TCP with a port of 10000 (the default) and if your tech people did nothing else, it should work if your SO uses the standard (nothing checked under transport) but if your ISP blocks VPN access, they tend to jack with the known VPN ports to force you to buy the Commercial service.

Cost = Free

Method 3: Additional Server IP

You will probably have to present a business case to your tech people and this is probably the only working solution for a no-cost solution if you have a PIX at the corporate end. What they will have to do is add an additional IP address to the PIX and configure it as an additional host for VPN. I've never tried this one as I have plenty of gear around to support my habits.

Cost = Case of beer for the tech guy

Method 4: New Firewall/Router

Here's were you spend some real money. You can buy a Cisco PIX to be your router/firewall and configure it as a VPN client and everything behind your end will have access as a Lan-to-Lan peer connection. This is more elegant, robust and most expensive. It is also possible with something called a Cisco Hardware Client 3002.

Cost = $400-500 for a PIX 501, 10-user, 3DES bundle

I have demonstrable copies of 1,2,4 working and I believe I could make 3 work with some time.

Post back if you have any questions or if you get results. With more info, I can fine-tune a solution.