1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRV54g tunneled through home router

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ed001, Oct 13, 2006.

  1. ed001

    ed001 Network Guru Member

    My next project is to set up a tunnel from a manager's home office to the corporate office. As we need to keep that corporate network very secure, I have to keep things locked down pretty tight at the manager's home office.
    He will have a dedicated computer needing access only to the file server, database server and one ssl secured website. I will be locking that macine down from the bios on up.
    My question is (because I have never done this) can I just set up the 54 inside his (personal) home router and tunnel out through it. I figure it should work as long as I forward port 500 and set IPSEC passthrough on his personal router.
    Am I wrong?
    Are there any other concerns I should be exploring?

    Locking the machine down won't be a problem but I don't trust anyone using a router connected to the corporate environment via tunnel as their personal network. This way I can lock down the 54 and tunnel all traffic safely through his personal network. Who knows what he might be doing on his personal network . And yes, I know I could restrict the tunnel access to one IP but without some assurance like 802.1x it's still too risky. I usually lock employees out of cmd and network settings and use an obscure subnet 30 bit scheme to reduce their ability to just plug another machine in and guess the settings. Not perfect but keeps normal users at bay.
     
  2. ifican

    ifican Network Guru Member

    I am trying to draw a mental picture of what you are trying to do. Where does the corportate machine in the home office sit? And is the 54g you are discussing also giving internet access to other inside hosts? What vpn are you going to use?
     
  3. ed001

    ed001 Network Guru Member

    Sorry, my explanation is a little vague. You ever have that happen, when you have a picture in your head, you type your post and it makes sense to you, only you?

    _____[[-------VPN Tunnel--------]]_____
    S1 >> R1 >> (Internet) << R2 << R3 << N1
    .....................................^..................
    ..........................N2, N3, N4, etc...........

    S1 Corporate servers
    R1 VPN endpoint router
    R2 His personal wireless router with ipsec pass on and port 500 forwarded to R3
    R3 Wrv54g tunneled to R1
    N1 Corporate pc with all the apps he needs.
    N2-etc. personal devices

    Note: In this scenario I am able to tunnel to the corporate office, lock down and protect N1 from anything he does on his personal network and not impact his personal use of his own network. Basically the only un-encrypted traffic traversing his personal router are windows updates.

    Thanks
     
  4. ifican

    ifican Network Guru Member

    Yes i know the feeling about typing and understanding completely what you want to convey but no one else does. Yes that should work, the only potential issue i see well 2 of them, 1) make sure you forward port udp4500 that is used for nat-t (ipsec tunnels terminating behind a nat router). Now depending on how you set up routing. R3 is going to default all outbound internet traffic to R2. You will have to be very careful about how you set up the 54g so if the tunnel goes down he doesnt automatically get internet from R2. Also from my experience and i have never played with that specific router, running http across the tunnel has been extremely slow at best. I know there are plenty of others that have run this setup as well, we should hear from them before to long.
     

Share This Page