Multiple VPN Connections?

Iztok Umek iztok at si-con.com
Tue Feb 8 09:49:59 EST 2005 

> I am a newcomer to using VPN an any environment other that the Windows
> desktop, so please forgive my ignorance.

VPN is just form of network. It is just Virtual and Private ;)


> Assume we are talking about IPSec VPN connections that may be from
> different, non-interoperable VPN solution vendors.  Also assume we are
> using non-public IP address (10.x.x.x) in our productions environment and
> that this is also the case on the remote networks.  In short, assume all
> the worst possible conditions and that we have no control over the remote
> networks.

If both sides are using the same, you need to NAT first to a public IP 
address first then VPN. No way around it as if host appears to be local, it 
simply won't work. Routing has to take place.

If both sites support IPSec then you should be able to establish 
site-to-site VPN w/o major issues. Most vendors have so called 
"interoperable" devices supported. IPSec is a good standard. I had various 
combinations of FreeSWAN, CheckPoint, Cisco ... VPNs (all speak IPSec) 
working in the past.

> What are the essential steps/components to establishing and maintaining
> multiple client VPN connections on a Windows host that is functioning as
> an Apache-Tomcat web application server with applications that need
> real-time access to database servers on the remote networks?

You should not think of it as client VPN. You should think of it as 
site-to-site VPN. A network gateway for this. Otherwise you will end up in a 
mess. Most clients can't talk to other vendors and/or even coexist on the 
same machine.

> Do we need to go to each VPN solution vendor for client side software?

No, as I stated earlier, you need to have peer network VPN.

> Do we need gateway hardware/software that will provide connection
> isolation and address translation?

VPN Gateway is a must for such installation.

> Can you recommend good sources for further research on these or other
> questions?

Yes, your VAR should be able to help with it. If you can't find one that 
will fit I can either suggest you one or (shameless commercial plug here, 
sorry) I can architect you a solution for you.

Your solution might be simple or a major network architecture has to be done 
and implemented. It just depends on input variables. Hard to tell with 
limited info you provided.

Sincerely,
    Iztok

More information about the ncsa-discussion mailing list