HOME | SOLUTIONS | PARTNERS | ICE SUPPORT | INSIDE ICE | CONTACT US
search useice.com
Close Window

SmoothWall SmoothTunnel VPN Mgr
 
BUY NOW
 
Evaluate
 
Demo System

 

The SmoothTunnel VPN Gateway module adds a comprehensive set of VPN features to the Corporate Server firewall. SmoothTunnel provides support for both mobile users with laptop PCs (what we call a Road Warrior) and site-to-site (network to network) VPNs. Road Warriors can use either Window's inbuilt Layer 2 Tunnelling Protocol (L2TP) or an additional IPSec VPN client. SmoothTunnel can inter-operate with most other VPN systems from other vendors.

SmoothTunnel supports both x509 Certificate and Pre-Shared Key (PSK, Shared Secret) Authentication, 3DES, AES and several other encryption algorithms, and Dynamic IP Addresses. Five (5) VPN tunnels can be configured as standard; for additional tunnels it is necessary to purchase additional SmoothConnection licence packs. SmoothTunnel is normally configured as the Certificate Authority and can generate self-signed x509 certificates, avoiding the prohibitive recurring costs associated with the licensing of certificates from an outside Certificate Authority.



There are three options for the remote end of a VPN tunnel:

If only a single remote computer (such as a mobile laptop/notebook PC or a home worker's PC) needs to connect to the VPN Gateway (SmoothTunnel) we class this as a "Road Warrior" connection - the remote user would normally use the L2TP software included in Windows 2000 and XP (free of charge client available to download from Microsoft for Windows 98/ME/NT). Alternatively an IPSec VPN client can be used; SmoothWall recommends and supplies the SafeNet SoftRemote IPSec VPN client for Microsoft Windows. This works well and is about the easiest of the IPSec clients to set-up. Several other IPSec clients will work with SmoothTunnel and their set-up is documented in the SmoothTunnel manual - although we can only provide technical support on SoftRemote. Equinux produce the VPN Tracker IPSec client for Mac's. L2TP is much simpler to configure than IPSec and does not require the installation or purchase of client software for the user PC. SmoothWall provides a Wizard program from Windows 2000 and XP to make installation of the x509 certificates and configuration of the VPN connection a simple two minute task that most Microsoft Office users with no technical knowledge can achieve without difficulty.

If there are multiple PCs at the remote site that need to use the VPN connection then we class this as a "Site to Site" VPN - the remote network will need a Corporate Server installed with the SmoothNode module. This provides 1 VPN tunnel from the remote office to a VPN Gateway (eg SmoothTunnel Gateway at the Central (Main) office). All the PCs at the remote office would be able to utilise the VPN tunnel to the network serviced by the VPN Gateway. Any number of PCs can connect down the one tunnel.

However if the remote office needs multiple VPN tunnels, ie to more that one location, or it needs to support its own Road Warrior connections, then the SmoothTunnel would be needed instead of SmoothNode.

The SmoothTunnel and SmoothNode VPN Add-On modules for Corporate Server both support dynamic IP addresses. The SmoothTunnel VPN gateway can do this by using a Dynamic DNS name service (eg DynDNS.org). SmoothNode, which is used at the remote end of site to site VPN connection is often used with a dynamic address provided by the ISP. The use of a dynamic IP address is normal for most Road Warrior VPN connections from Laptop/Notebook PCs etc. SmoothNode is normally configured to initiate the VPN connection, so it connects to the IP address or Dynamic DNS Name of the SmoothTunnel gateway - hence SmoothTunnel does not have to be configured with SmoothNode's external IP address. There is no need to configure any external router or gateway information as this is automatically determined by the software.

The use of a Dynamic DNS name by SmoothTunnel permits the use of Corporate Server's Fail-over to a PPP connection facility. If a DSL line should fail, then clicking the Fail-over button causes the Corporate Server to switch to a PPP connection (eg ISDN) that has been pre-configured. The Dynamic DNS name service would re-register the name with the new IP address of the PPP (ISDN) connection - so the remote VPN nodes and Road Warriors could re-establish their VPN connections without having to reconfigure anything.

SmoothTunnel allows 5 VPN tunnels (connections) to be configured as standard. For additional VPN tunnels order SmoothConnection License packs as required. An individual tunnel (connection) is configured for each Road Warrior user, as this allows:

  • Each Road Warrior tunnel to be given a name (typically the person's name) so its status (up/down) can be viewed/managed
  • Each Road Warrior to be issued with their own x509 certificate, so that if the person leaves the organisation their certificate can be revoked (deleted) to deny them VPN access without affecting any other users
  • An IP address to be allocated on the local protected (green) network for each Road Warrior tunnel - so for routing purposes the user appears to be on the local network and not remote.
SmoothTunnel allows individual VPN tunnels to be managed (eg enabled/disabled) and the use of x509 certificates allows temporary (limited life) certificates to be issued - so that for instance temporary VPN access can be provided for a few days/weeks/months, after which time the certificate expires and prevents further VPN access unless a new x509 certificate is used.

SmoothTunnel supports what we call "Remote Gateway" mode, in which all traffic from the remote VPN location, be that a branch office (running on Corporate Server + SmoothNode) or a single user mobile/laptop PC (a Road Warrior) is routed via the VPN Gateway (eg SmoothTunnel) - not directly to the Internet from the local connection. This allows organisations to enforce central site policies such as Web Content Filtering and Anti-Virus upon their remote users.

Although we say that Corporate Server will run on most Pentium class machines, in the case of a SmoothTunnel VPN gateway we normally recommend that the machine specification meets or exceeds a Pentium III 500 MHz, with 64 MBytes RAM and 4 GByte of disk. Such a machine should be able to support 50 VPN connections. Reputable (branded) Ethernet cards are also strongly recommended (eg Intel).

The netmasks used to configure SmoothTunnel and SmoothNode decide if remote networks can access each other. For example, a Head Office has a network address of 192.168.10.0, a second (remote) office (B) has a network address of 192.168.20.0 and office (C) utilises a network address of 192.168.30.0. A netmask of 255.255.255.0 would allow B to access A but stop B from being able to access C, whereas 255.255.0.0 would allow B to access C (and A) also for C to access B (and A). Likewise the network addresses and netmasks can be configured to only permit certain computers at a remote site to access the VPN - for example, a home workers computers can access the VPN but any family PCs used by their children cannot access the VPN.

For a site to site VPN the system can be configured so that all Internet traffic from the remote site is forced to pass down the VPN. The main reason for doing this is to enforce the same security policies at a remote office as employed at Head Office such as server based anti-virus.