Post #195,063
2/16/05 9:11:08 PM
|
Gateway to Gateway VPN
OK, I haven't done one of these before, but a customer's software vendor asked for a VPN and mentioned they used Linksys VPN routers, which turn out to have little worthwhile documentation.
Got the routers to connect (they're pretty fussy when you have a fixed IP at one end and PPPoE at the other). They say they're connected, so apparently I have a tunnel, right?
What more do I need to do to get the remote network to see computers on the main network?
Configuration is:
Main:
local group 192.168.200.0
mask 255.255.255.0
gateway 192.168.200.97
remote group 192.168.201.0
mask 255.255.255.0
Remote
local group 192.168.201.0
mask 255.255.255.0
gateway 192.168.201.97
remote group 192.168.200.0
mask 255.255.255.0
[link|http://www.aaxnet.com|AAx]
|
Post #195,071
2/16/05 10:37:11 PM
|
VPN is not a hardware thingie.
As long as both parties have an internet connection, VPN *software* can make a "tunnel". Somebody is blowing smoke up your ass. As far as I know there is no such thing as a "VPN router".
[link|http://www.multitech.com/DOCUMENTS/Tutorials/tech_guides/vpn/page4.asp|How VPNs work]
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken
|
Post #195,078
2/16/05 11:16:24 PM
|
Sure it is
Note the VPN ones.
[link|http://www.linksys.com/products/group.asp?grid=34&scid=29|http://www.linksys.c...p?grid=34&scid=29]
|
Post #195,081
2/16/05 11:31:42 PM
|
Client side can be software thingie
But also a hardware thingie.
At the other end is generally one of [link|http://www.tribecaexpress.com/cisco_VPN_3000.htm|these].
If you push something hard enough, it will fall over. Fudd's First Law of Opposition
[link|mailto:bepatient@aol.com|BePatient]
|
Post #195,147
2/17/05 10:31:25 AM
|
We're looking into SSL/VPN appliances.
Pretty much narrowed down to F5 or Netilla offerings. Any comments?
bcnu,
Mikem
Eine Leute. Eine Welt. Ein F\ufffdhrer.
God Bless America.
|
Post #195,083
2/16/05 11:35:51 PM
|
Oh, yes there is.
[link|http://support.dlink.com/products/view.asp?productid=DI%2D808HV|DI-808HV]
And yes, I know how VPN works.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Miltary Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #195,084
2/16/05 11:36:13 PM
|
Seeing as how a slew of companies sell routers . .
. . specifically for that purpose, particularly Cisco and Sonic Wall, I don't think I've been mislead in purchasing "VPN routers". With hardware VPN firewall routers the encryption overhead is handled by specialized chips, not by the PC's CPU - much more efficient.
Window comes with VPN software using IPSec that allows connection to hardware VPN devices remotely, which is particularly valuable for mobile users, but for a stationary site it's a lot more efficient to let the hardware do it through a dedicated router-to-router tunnel.
I just haven't done this before so I'm not real familiar with the fine details of making it work.
[link|http://www.aaxnet.com|AAx]
|
Post #195,085
2/16/05 11:37:40 PM
|
And, yes...
If they say they are connected *AND* you have connectivity on both sides... you are good to go.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Miltary Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #195,184
2/17/05 2:07:28 PM
|
Gaah. I meant "client" vpn.
Must remember to keep my beers drunk count below my posts made count.
-----------------------------------------
"In this world of sin and sorrow there is always something to be thankful for. As for me, I rejoice that I am not a Republican."
-- H. L. Mencken
|
Post #195,187
2/17/05 2:19:09 PM
|
If you can remember that, you've probably already succeeded.
[link|http://forfree.sytes.net|
] Imric's Tips for Living
- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
|
Nothing is as simple as it seems in the beginning,
As hopeless as it seems in the middle,
Or as finished as it seems in the end.
|
|
Post #195,189
2/17/05 2:20:46 PM
|
That or you're posting too slowly
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #195,086
2/16/05 11:44:10 PM
|
Define "See"
Main:
local group 192.168.200.0
mask 255.255.255.0
gateway 192.168.200.97
remote group 192.168.201.0
mask 255.255.255.0
Sitting at a computer on the main, assume address
192.168.200.1
Can you ping the local gateway:
192.168.200.97
Can you ping the remote gateway:
192.168.201.97?
Note: the 200->201 transition does not feel right unless you have an address in the 201 segment bount to the external port of your gateway. I'm going on rough gusses here, since I've never configured one of these devices.
Are you SURE you aren't supposed to have the same segment, ie: 200, on both sides?
192.168.201.97
|
Post #195,091
2/17/05 12:02:36 AM
|
Re: Define "See"
Each side can ping it's own gateway, but the gateways are set not to answer pings from outside. I suppose it might ping if the VPN made it an inside ping - I'll have to try that.
Both routers are happy that they have connected to each other with adequate authentication.
As to the addresses, stuff on the Internet is disorderly and mostly in the form of forums, but at least one specifically said the two had to be on different networks in the third stanza (but he presumed the default address for the router of 192.168.1.1, necessitating the other being 192.168.2.1 or some other). Anyway this is the configuration that connected.
Having them both on the same subnet (192.168.200.0) resulted in a configuration error in the router setup. Ranging (192.168.200.1 to 192.128.200.39 on one side and 192.168 200.40 to 192.168.200.100 on the other) resolved the conflict warning but didn't connect - but I think the no-connect was for another very obscure reason, so I may try ranging again tomorrow if I still can't see the other network.
[link|http://www.aaxnet.com|AAx]
|
Post #195,095
2/17/05 12:53:53 AM
|
I must be missing something
What piece of hardware at the main site actually has a public address pointing to the remote site? Does the gateway at 192.168.200.97 map traffic for 192.168.201.x to the remote, publically routable IP? Some box on each network has to run (in promiscuous mode) and grab traffic destined for the other site.
|
Post #195,101
2/17/05 1:26:55 AM
|
Yes
The main site has a fixed IP on the WAN side of the router which allows the remote site to find it. This site authenticates to the remote site "IP address only".
The remote site has PPPoE so it's actual IP address is unknown to the main site. When it contacts the main site it hands it the current IP address and an email address. If the email address matches what the main site expects the connection is accepted. This is separate from the encryption keys which are then negotiated.
The sites recognize each other on the WAN side and both register "connected" which means authentication has succeeded. I don't know for sure yet if the encryption negotiation is working. The method selected is based on "previously known key".
What I listed were the LAN subnets at each end, and each knows the subnet address of the other so presumably routing can occurr through the tunnel even though these are "private" IP addresses,
[link|http://www.aaxnet.com|AAx]
|
Post #195,279
2/17/05 8:46:39 PM
|
Well, turns out it was actually working.
I sat down at the remote office and typed the local address of the VPN router, but mistyped and actually typed the local address for the main VPN router - and it's log-in screen popped right up. I can ping net addresses over there just fine and get an ACCES DENIED if I try to get a Net View on one of those IP addresses (need to go over there and set up login accounts for the remote office).
Now to see if I can get stuff to show up in My Network Places, or If I have to work around not having that.
I tried again having both ends on the same 192.168.200 network with different IP ranges. Not only didn't it work, I lost general Internet access until I put it back to two separate networks, 200 and 201. which does route just fine. These routers seem to be pretty picky about configuration.
[link|http://www.aaxnet.com|AAx]
|
Post #195,289
2/17/05 10:18:07 PM
|
Remote announce seems to work for that... or Wins
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Miltary Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #195,318
2/18/05 12:19:23 AM
|
Well, maybe not . . .
As far as I can see, Windows 2000 Pro (their main server) doesn't support being a WINS server and nor does XP Pro. Remote announce appears to be Samba only (at least I didn't find a single reference on the Internet that did not have the word Samba prominently displayed).
Looks like I'll have to get along with an LMHosts file.
[link|http://www.aaxnet.com|AAx]
|
Post #195,443
2/18/05 8:26:34 PM
|
They can't browse across the VPN . .
. . but they have no need to . Their medical management software can see the databases on the main office server and that's all that's needed from the VPN. I are now a VPN Ex-spurt.
[link|http://www.aaxnet.com|AAx]
|
Post #195,539
2/19/05 2:03:16 PM
|
HA! ICLURPD (new thread)
Created as new thread #195538 titled [link|/forums/render/content/show?contentid=195538|HA! ICLURPD]
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Miltary Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #195,104
2/17/05 1:43:18 AM
|
Parse error
I read "Gateway to Gateway VPL" and then wondered two things:
1. Why you're so interested (is it a problem for you?)
2. Why all these hairy-arsed middle-aged men know so much about it
Peter
[link|http://www.ubuntulinux.org|Ubuntu Linux]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
|
