Securing the Perimeter
Security is a huge headache with VPNs. The minute a compromised machine tunnels in, unless that machine is isolated/restricted and measures/countermeasures taken, your network is likely to be compromised. In addition to limiting the damage that a bad egg can do, make sure that anyone tunneling in has antivirus software, a software firewall that can keep inbound and outbound mischief contained, and a router that supports IPsec (or PPTP) pass-through, if needed.
You can't allow users to compromise themselves and your network by plugging directly into the modem to get around the blockage caused when they can't pass through. Success is the result of planning ahead and buying what will give you the least trouble without compromising security. A big piece of that success is predicting the behavior of frustrated users.
If a user already has a router for his or her home network, and can't get into your network, simple settings changes for the existing hardware may fix the problem. While you're still mapping out your VPN plans, have users supply model names and vendor URLs for the equipment they're using. Before you start live testing, have up-to-date troubleshooting information downloaded and on hand, and you won't have to wait on the phone while users crawl around behind the computer or search through basement filing cabinets looking for details.
Unfortunately, users may see your super perimeter as the cause of their not being able to create a tunnel to workrather than the way to keep their PCs and data, and the company networks, safebecause they only get as far as your login or authentication systems and no further. You can avoid that misperception about the security system and help them get to work by remembering to take a few simple but crucial steps in the beginning, as you set up:
Check that the whole shebang (server, etc.) is running before you add the VPN.
Never add more than one item at a timehardware, software, or firmware. Record exactly what piece you're adding, test it, and record the result before moving on. If you follow this strategy, you'll never have to rewind more than one step, and it's a lot easier to untangle a conflict of one piece against all than multiplying the variables against all.
Get all the basic network gewgaws in place on both sides:
Have the same level of encryption on both ends.
Check that all VPN-specific protocols are installed on both sides.
Set up WINS on both sides of your tunnel. The client side needs it so that you won't have to resolve IP addresses with somebody having to type in the dot.quad and drive letter for every share you want to use.
One last thing to do as you prepare to build your VPN: Get users ready. Educate them about the VPN; about being good, secure citizens connected to the corporate network with their home machines; and about what to expect. For example, if a user is logged onto the company network, he may not be able to print over his home LAN. If he understands this restriction, he's less likely to panic and do something silly with the cabling. And some days, that's victory enough.