1. Home
  2. Networking Firewalls
  3. Intersite VPN

Intersite VPN

I have two sites that sit behind NATted DSL routers (Netgear DG834), and I want to link the two networks together.

Background info:

Site A (Main office) ==================== We have full control over the infrastructure, the DSL link has a static WAN IP address.

Site B (Remote office) ====================== Long story, but the DSL router isn't ours, we have no physical access to it, however we do have exclusive use of this device and we have admin access to the router. We don't own the phone line, or the broadband connection, so we are limited as to what we can do. The DSL link has a dynamic WAN IP address, this can't be changed.

I'm open to using either hardware or software (open source or commercial) to accomplish this, however the devices on site B must be able to seamlessly connect to the site A network.

I'm considering putting a Linux box at site A to act as a PPTP VPN server (using port forwarding from the DSL router), with a Linux box at site B to act as the gateway to route the traffic to site A via the PPTP tunnel.

Does this sound like the right way forward?

Reply to
Bryhhh
Loading thread data ...

If you consider making a secure tunnel between the two sites I recommend you to use protocols like IPsec, SSL-VPN or L2TP (the follower of pptp).

PPTP has had its security issues and the Windows implementation has still some problems with packets getting out of the tunnel for obscure reasons. (No clue if the Linux implementation has the same problem).

Depending on your knowledge of Linux (or other operating systems) you have to make the decision of the way to build this tunnel. Software: on Linux, Windows, ... or Hardware: dedicated boxes or firewalls with VPN functionality build-in.

This choice should be made based on the time and knowledge you have. It might be more expensive to do it with a linux box than with a cheap firewall (with an easy config and maintenance).

Does your current firewall support vpn's? Linux: Openswan (ipsec), openvpn (sslvpn) Hardware: many solutions exist, for small sites brands like Fortinet are a good choice as they are fairly cheap. Higher-end firewalls like Check Point, Netscreen and ASA also support this of course.

It's a good idea to check the Wikipedia pages concerning the different technologies.

formatting link

Personally I prefer using IPsec for site-to-site tunnels. With IPsec it's fairly simple to use dynamic tunnels. On site B you just configure the tunnel to site A, enable aggressive mode. On site A you need to configure the tunnel as dynamic (accept ip

0.0.0.0/0). It's a good idea to choose strong shared-keys, you only have to type them once...so... The configuration depends on the choosen solution of course.

Hope this helps.

Reply to
Christophe Vandeplas

technologies.http://en.wikipedia.org/wiki/Virtual_private_networkhttp://en.wikipedia.org/wiki/Pptphttp://en.wikipedia.org/wiki/IPsechttp://en.wikipedia.org/wiki/Transport_Layer_Security>

Many thanks. I've been playing with openvpn running on a pair of Linux boxes, mainly because I happen to have a Linux box at each site. Unfortunately my networking skills is the part that is letting me down!

If site A uses 192.168.16.0/24 and site B uses 192.168.17.0/24 and I want to create a routed VPN between the two, do both endpoints of the tunnel need to be on a third (virtual) subnet?

e.g. (Apologies for poor ASCII art)

+--------------------+ +------------------
  • SITE A -- | 192.168.16.2 | INTERNET | 192.168.17.2 | -- SITE B NETWORK | Site A Server | | Site B Server | NETWORK | 192.168.18.1 | == VPN TUNNEL == | 192.168.18.2 | +--------------------+ +------------------
+

In reality each server would be connected to a DSL router 192.168.(16|

17).1 on the same subnet as all the other network devices, with port forwarding setup for openvpn between the DSL router and the server.

Many thanks Bry.

Reply to
Bryhhh

technologies.http://en.wikipedia.org/wiki/Virtual_private_networkhttp://en.wikiped...>

Or, would the Site B server be presented with an interface on

192.168.16.0/24, and the site B server was left to deal with routing between the two? If this was the case though, how would I route back in the other direction? Surely the site A server must have a virtual interface of some description too?
Reply to
Bryhhh

Usually we use ipsec tunnels between sites. With an ipsec tunnel you don't have that .18 network needed. I'm not a site-to-site ssl-vpn expert, but I have already configured client-ssl-vpn's in a not to distant past. Depending on your distro you will have more or less tutorials with the installation and configuration instructions. Don't forget you'll have to generate SSL certificates for both sides. (self-signed is perfect)

btw: You'll probably want a routed tunnel.

A good place to start is:

formatting link
look at your favorite encyclopedia:
formatting link
But remember this: The advantage of OpenVPN is you can do many many things with it. And the disadvante of OpenVPN is that you can do many many things with it.

You'll probably really understand this after playing a few hours with it while digging the net for good tuts.

Reply to
Christophe Vandeplas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.