Not offence taken - I am that necessary little bit better ;-), but we now run into cost and time issues. The router ought to be dead silent, and finding a power supply unit and a CPU cooler that deliver that, AFAICS, is a nightmare.

Agreed. Some older hardware can run without a CPU cooler, of course, but you'll have other difficulties, like getting enough PS/2 RAMs (or even older types) for a modern Linux distro..

...

Then what are the specifics of that VPN?

This is the email reply I just got:

<quote> We're still looking for a suitable device with IPSEC passthru that actually works. The ones you mentioned [i.e. the Zyxels] have a relatively serious flaw: one tunnel per bundle, and we run 5 separate tunnels in 1 bundle, so that feature probably won't work.

Having the DSL router be a VPN client end-point is not possible, since I'd have to actually route to you, and we're not going to be able to support that for various reasons. </quote>

Adressing that: * FreeS/WAN gives you a practically unlimited number of tunnels. There probably is some internal limit, but five are definitely no problem at all. I agree that a limitation of one tunnel only is quite an impairment, and one that I see no sound technological reason for. * The second sentence is unclear, probably exactly because of that mixed-up mumbo-jumbo terminology I was raving about in my last mail. 'VPN client end-point', to me that implies the final destination of whatever is transported via the VPN transport. The router can't be a VPN client end-point in my opinion, because you're not going to be working on it. You want to connect your box to the rest of the network by using VPN technology. * He probably means that he doesn't want you to have a LAN on your end that he needs to route to through the router on your end, regardless of VPN or not (though you'll be probably using private IP address space and that requires a VPN more often than not). The next bits he says make it sound like that.

He also said

<quote> I'd suggest a simple DSL modem, and a w2k box runing microsoft ICS and the vpn client and zonealarm pro (those last 2 things, we provide. microsoft ics comes with 98/ME/2kpro and is relatively easy to use. </quote>

ICS is sort of like a SOCKS proxy, IIRC, maybe with a little NAT (or PAT for Ciscoers) thrown in (but not complete, I think). The gist of it is that the ICS machine is the only one that he sees, the subnet behind it is hidden and he doesn't have to worry about it. Lazy bastard, isn't he? ;->

Incidentally, this (without VPN) is exactly my current setup, which I don't want to run for a variety of reasons:

* my workstation would have to run 24/7, sucking power like nothing * I don't feel well at all about my work-station being connected directly to the Internet * dial-on-demand has a design defect (it won't dial unless someone has logged into the W2K box)

IOW, I do need an appliance, a dedicated router. And, if possible, I'd really love to be able to get onto that VPN.

Well, any box that can do NAT and is IPSec-capable will do. You do need to watch out for that combination normally, as NAT kills IPSec packets (so packets need to pass the NAT gateway before they go through the IPSec stage). But if both functions are performed on one and the same box and aren't mutually exclusive, I would expect them to take place in the correct order. Linux can do all of that for you, probably, depending on their VPN equipment, but your requirements for silence, etc. make an appliance seem much more suitable. Unfortunately, I don't know any. Have you looked at the Watchguard boxes? Cheers Tobias