Diagram Wirless VPN Gateway

Hi All and thanks for your responses.

Let me go into more detail. I have a Cisco SOHO router/firewall connected to
the Internet and I have two hubs connected to the Cisco router.

My idea after reading Jeff Liebermann idea is to add wireless access points
to the office and enable preshared key, these APs will then be connected to
the new VPN gateway which I hope will only allow vpn tunnels thorough it and
on to my LAN.



This is my idea in a diagram I hope it explains more.



Internet

|

|

Cisco Soho Router/Firewall

| |
|

| |
|

| |
|

| HUB1
HUB2

VPN Gateway | Pc
and Laptop

| Pc's and Server

|

Wireless Access Point

¬

¬

Laptops with Vpn Client software or Built in Xp Client



You both mentioned me binning my Firewall but I would like to keep it.

Does the above diagram make any sense?

My intention is only to allow Predefined laptops on to the Wireless access
point and then VPN on to my LAN

Thanks both for those URL I will check them out.



With Thanks John

On Fri, 25 Mar 2005 16:00:23 GMT, "news.cable.ntlworld.com"
<(E-Mail Removed)> wrote:

>Does the above diagram make any sense?

No. It's an unreadable muddle. Try doing the diagram again, this
time without tabs. My guess is you have TABS=4 spaces set, while most
readers display 8 spaces. You might also want to fill in some of the
missing numbers like make and model of existing equipment, number of
users, approximate bandwidth, and type of internet connection (speed).

You also missed my point about where the VPN is going to be
terminated. Are you going to terminate it at the:
1. Wireless access point
2. Added VPN gateway router between wireless and wired networks.
3. Existing unspecified model Cisco internet gateway router.
4. ISP if they provide the service.
5. Corporate firewall.

Since you want to use a VPN router as a gateway to your home LAN, you
cannot use the existing unspecified model Cisco gateway to control
access. All it currently does is control access to the internet. It
assumes that a user already has access to your LAN. So, you need to
add a VPN router between the insecure wireless network and your secure
wired network. Note that you will have two networks. The wireless
network that's assumed to be insecure, and the protected wired LAN.
The purpose of a (vpn) router is to glue these two networks together.

>My intention is only to allow Predefined laptops on to the Wireless access
>point and then VPN on to my LAN

How are you going to "allow" only pre-defined users to access your
wireless access point and *THEN* use a VPN to get to your LAN? The
VPN controls access to your wired LAN, not to the wireless WLAN.

Also, one minor problem. Let's pretend that an evil user gets onto
your wireless network by cracking the WEP key but cannot get into your
VPN. There's nothing to stop this evil user from either using your
access point as their private game network repeater, or precipitateing
a wireless denial of service attack. Actually, some access points
have "client to client protection" features which will prevent the use
as a client to client repeater. My point is that this evil user is
already on your wireless network even if they did not successfully
authenticate with the VPN router. Methinks it would be best to keep
them off the access point in the first place. However, if you don't
mind hosting a private game network with your access point, then
adding a VPN router should be more than adequate security.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558