|
Posted by Bryhhh on October 2, 2007, 6:17 pm
If you were Registered and logged in, you could reply and use other advanced thread options > wrote:
>
>
>
> > Bryhhh wrote:
> > > I have two sites that sit behind NATted DSL routers (Netgear DG834),
> > > and I want to link the two networks together.
>
> > > Background info:
>
> > > Site A (Main office)
> > > ====================
> > > We have full control over the infrastructure, the DSL link has a
> > > static WAN IP address.
>
> > > Site B (Remote office)
> > > ======================
> > > Long story, but the DSL router isn't ours, we have no physical access
> > > to it, however we do have exclusive use of this device and we have
> > > admin access to the router. We don't own the phone line, or the
> > > broadband connection, so we are limited as to what we can do. The DSL
> > > link has a dynamic WAN IP address, this can't be changed.
>
> > > I'm open to using either hardware or software (open source or
> > > commercial) to accomplish this, however the devices on site B must be
> > > able to seamlessly connect to the site A network.
>
> > > I'm considering putting a Linux box at site A to act as a PPTP VPN
> > > server (using port forwarding from the DSL router), with a Linux box
> > > at site B to act as the gateway to route the traffic to site A via the
> > > PPTP tunnel.
>
> > > Does this sound like the right way forward?
>
> > If you consider making a secure tunnel between the two sites I recommend
> > you to use protocols like IPsec, SSL-VPN or L2TP (the follower of pptp).
>
> > PPTP has had its security issues and the Windows implementation has still
> > some problems with packets getting out of the tunnel for obscure reasons.
> > (No clue if the Linux implementation has the same problem).
>
> > Depending on your knowledge of Linux (or other operating systems) you
> > have to make the decision of the way to build this tunnel.
> > Software: on Linux, Windows, ...
> > or Hardware: dedicated boxes or firewalls with VPN functionality build-in.
>
> > This choice should be made based on the time and knowledge you have. It
> > might be more expensive to do it with a linux box than with a cheap
> > firewall (with an easy config and maintenance).
>
> > Does your current firewall support vpn's?
> > Linux: Openswan (ipsec), openvpn (sslvpn)
> > Hardware: many solutions exist, for small sites brands like Fortinet are
> > a good choice as they are fairly cheap. Higher-end firewalls like Check
> > Point, Netscreen and ASA also support this of course.
>
> > It's a good idea to check the Wikipedia pages concerning the different
> >
technologies.http://en.wikipedia.org/wiki/Virtual_private_networkhttp://en.wikiped...
>
> > Personally I prefer using IPsec for site-to-site tunnels.
> > With IPsec it's fairly simple to use dynamic tunnels.
> > On site B you just configure the tunnel to site A, enable aggressive
> > mode. On site A you need to configure the tunnel as dynamic (accept ip
> > 0.0.0.0/0). It's a good idea to choose strong shared-keys, you only have
> > to type them once...so...
> > The configuration depends on the choosen solution of course.
>
> > Hope this helps.
>
> > --
> > mailto:christo...@vandeplas.comhttp://christophe.vandeplas.com
>
> Many thanks. I've been playing with openvpn running on a pair of Linux
> boxes, mainly because I happen to have a Linux box at each site.
> Unfortunately my networking skills is the part that is letting me
> down!
>
> If site A uses 192.168.16.0/24 and site B uses 192.168.17.0/24 and I
> want to create a routed VPN between the two, do both endpoints of the
> tunnel need to be on a third (virtual) subnet?
>
> e.g. (Apologies for poor ASCII art)
>
> +--------------------+ +------------------
> +
> SITE A -- | 192.168.16.2 | INTERNET | 192.168.17.2
> | -- SITE B
> NETWORK | Site A Server | | Site B Server
> | NETWORK
> | 192.168.18.1 | == VPN TUNNEL == | 192.168.18.2
> |
> +--------------------+ +------------------
> +
>
> In reality each server would be connected to a DSL router 192.168.(16|
> 17).1 on the same subnet as all the other network devices, with port
> forwarding setup for openvpn between the DSL router and the server.
>
> Many thanks
> Bry.
Or, would the Site B server be presented with an interface on
192.168.16.0/24, and the site B server was left to deal with routing
between the two? If this was the case though, how would I route back
in the other direction? Surely the site A server must have a virtual
interface of some description too?
| 
XML site map