• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1760
  • Last Modified:

Establishing site to site VPN connectivity between HO and Branch thro Linux

I Have two locations (HO and Branch) Both places i Have taken 2mbps ADSL Broadband. I have static ip
at both the places. I need to establish site to site VPN so that users can access the resources either way.

but due to budget constraints ( less than 1000 us dollers)  i cannot go with an ideal solution like going for cisco integrated routers.

One of the vendors has suggested to do this connectivity thro linux as it comes with inbuilt firewall and
proxy server and there is no licencing cost.  All we need to do is buy 2 systems with dual ethernet card whcih would cost us 500 us dollers and his configuratuion charges of around 250 us dollers. This whole thing fits very well into our budget.

I want experts advice whether this workaround solution give accepatable level of performance.

venkat





0
venkataramanaiahsr
Asked:
venkataramanaiahsr
  • 9
  • 9
1 Solution
 
tlbrittainCommented:
If you are looking for a VPN connection, make sure that the configuration he is suggesting will give you VPN capability w/out having to buy more equipment.  I am not very educated on linux but know that the firewall and proxy should be able to be done, but I do not believe that it will give you VPN capability.  If configured properly the firewall will allow VPN (PPTP, L2TP, ESP, etc...) traffic to pass, but it will not act as a VPN granting you the connection you desire.  

Be careful on that and make sure you obtain a "statement of work" from the vendor if this is the route that you decide to go, one that states it will (without the purchase of additional hardware, i.e VPN Concentrator) give you the VPN capability, as well as Firewall and Proxy functions.
0
 
QlemoC++ DeveloperCommented:
I recommend OpenVPN (on XP or above, or Linux). It's free, and you won't need a load of knowledge when using the supplied configuration examples.
0
 
venkataramanaiahsrAuthor Commented:
hi Qlemo

Can y suggest  the method as how to go about this. we are comfortable with windows. if it can be installed on xp above it is all the more easy. we have already got the necessary hardware ( 2 systems)
also the advantages and disadvantages of the same.

I request an early help in this regard
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
QlemoC++ DeveloperCommented:
 Download OpenVPN from http://openvpn.net/download.html, I recommend 2.1 RC4 version.
  Install OpenVPN as a service on both XP boxes
  Enable routing by changing registry key:
      HKLM\System\CurrenControlSet\Services\Tcpip\Parameters\IPEnableRouter=DWORD:1
  Rename created LAN connection in your network properties to "OpenVPN" or something, if you like
  For a quick start, I choose a direct link (aka point-to-point connection), using a preshared key. Later, you might change this to certificates, which can be generated with contained easy-rsa package.

  Therefor, create a config file e.g. "site-1.ovpn" in "config" folder, containing:
      dev tun
      proto udp
      remote site-1.ath.cx 1194
      ifconfig 192.168.254.253 192.168.254.254
      secret ..\\keys\\static-key.txt
      resolv-retry infinite
      comp-lzo
      persist-key
      persist-tun
      verb 3

  Copy it to "site-2.ovpn", and change following two lines
      remote site-2.ath.cx 1194
      ifconfig 192.168.254.254 192.168.254.253

  Of course, the remote addresses must be adepted to your set up ... On each XP box one of those files must be placed in "config" folder, the file name does not matter. That way, it is used automatically when OpenVPN service is started.
  Additionally you needed the same (!) file "key\static-key.txt" on both sites. This file has to be generated, either by selecting the "Generate Key" option in the start menu, or by openvpn --genkey --secret static-key.txt.

  If your firewalls allow traffic on the used port (1194/udp), the connection is ready to be established. For test purpose, you might want to double click on .ovpn files to start connecting, so you have a console windows to look at what happens. With Service, you should log into files (see manual and samples).

  One site will appear as 192.168.254.253, the other as 192.168.254.254. You should be able to use those addresses to ping or make drive connection or rdp or whatever to the XP boxes which run OpenVPN. The network will not be reachable, since other boxes do not now how to forward traffic.
  So, last step is to define a static route to either site on each box, with the OpenVPN box as gateway:
    route -p add 192.168.254.254 192.168.1.1            (if this is your OpenVPN box on this (!) site).
  Much better: define your XP box as default gateway, or put the above route to your existing default gateway.

  Hope that was detailed enough. Don't worry, it's easier than it sounds :-)
0
 
venkataramanaiahsrAuthor Commented:
Dear Qlemo

Thanks for your detailed explanation. I have one more clarifciation . I request your answer so that
we can go ahead and try the above solution

I have a hardware router/Firewall (Dlink Di 524)  at either ends. Each router is configured static ip on the public side and an internal ip. and this internal ip is given as gateway in all the  internal machines wherever internet needs to accessed.

Now to set up the above scenario for OPEN vpn connectivity between two sites, can i retain the router  or I have to remove the di524 router at both ends.

We could establish the RDP connectivity across two locations thro rdp port forwarding in the di524 to some internal ip address system. to do this thro vpn connectivity will the above solution is the only option



0
 
QlemoC++ DeveloperCommented:
You do not need to change anything with your configuration, besides opening port 1194/udp in each DLink (outgoing), if it is blocked. And put a route to your internal OpenVPN server in each DLink.

For RDP, you can implement a public-ip:port scenario where each port is forwarded to one client's RDP port. Even better, using OpenVPN, you can RDP directly to internal addresses, and traffic is encrypted.
0
 
venkataramanaiahsrAuthor Commented:

For RDP, you can implement a public-ip:port scenario where each port is forwarded to one client's RDP port. Even better, using OpenVPN, you can RDP directly to internal addresses, and traffic is encrypted.back to top

Can you explain in detail  what it means and how to set it up
0
 
QlemoC++ DeveloperCommented:
I think I do not get your intention here. Either you use VPN to have all network resources at your fingertips, or you use RDP with port forwarding to have RDP access from internet.

I recommend using OpenVPN, and RDP with internal addresses thru the VPN tunnel.
0
 
venkataramanaiahsrAuthor Commented:
I would definitely like to use VPN tunner to access network resources. if am not wrong what you are
suggesting is to establish vpn tunnel between two locations using OPEN VPN and  then use internal address thro RDP for accessing internal resources.

0
 
QlemoC++ DeveloperCommented:
Yessir!
0
 
venkataramanaiahsrAuthor Commented:
I have installed Win XP in 2 new systems with 2 network adapters. I have installed open VPN. i am unable to configure the VPN. How to do the configuration. Can anyone please tell me in detail.
0
 
QlemoC++ DeveloperCommented:
Have a look at my "proposed solution" given earlier. Important point: There may be ONE .ovpn file only on each client.
If you cannot get further, tell us in more detail what your problem is.
0
 
venkataramanaiahsrAuthor Commented:
I have installed win XP in 2 systems with 2 network adapters.

I have installed open VPN software in both the systems.

Then I have configured the network adapter 1 of system A with class B ip address, configured network adapter1 of System B with class B ip address. Both the systems are in the same IP range but their default gateways are different.

I have created site.ovpn files in both the systems and generated key in both the systems.

what I want to do next?
0
 
QlemoC++ DeveloperCommented:
Please give exact figure about configuration:
* IP subnet of LAN A
* IP subnet of LAN B
* why two NICs?
* why same IP subnet for system A and system B?
0
 
venkataramanaiahsrAuthor Commented:
Let me tell u my present set up in

site A  (HO)
We have two internet connections and two static ip for redundancy at ho.
each static ip is configured for two dlink routers in the following manner.
and hence we have two gateways
Dlink router is configured to Static ip on wan settings  and on lan settings to  an internal ip 128.128. x.x series (we are shortly changing the ip range to private ip addressing scheme) . This lan settings ip address  we have given as default gateway on lan systems whereever people are accessing the
internet.

Site B (Branch)
Dlink router is configured to Static ip on wan settings  and on lan settings to  an internal ip 192.168. x.x series . This lan settings ip address  we have given as default gateway on lan systems whereever people are accessing the internet.

We need to establish VPN connectivity between HO and Branch.

We have got two systems with xp sp2 loaded. We just wanted to configure everything on both the systems and  test the vpn connectivity before we move one of the systems to the branch.
Hence we have loaded openvpn software in both the systems and put the two systems on same subnet  but with different default gateays

In an earlier explanation you said i donot have to disturb my router setup.
Pls let me know whether this set up works and if not let me alternate solution to test this connectivity
at HO  in the above setup at HO ( i,e two separate broadband internet connections with two static ips
and hence two different default gateways)

I am really thankful for your  patience and help and expect an early answer to this




in HO before we

0
 
QlemoC++ DeveloperCommented:
I'll analyze that info and return later, I'm on heavy work here at the moment.
0
 
venkataramanaiahsrAuthor Commented:
Hi Qlemo

Any Updates on this
0
 
QlemoC++ DeveloperCommented:
That should work, but you have to use different gateways, as you already stated. Alternatively, you could use different ports for both OpenVPNs. But there will be no routing, as routes are not defined yet.

So, use the opposite's gateway in each OVPN file. After that, and having startet both OpenVPN connection sides, you should be able to ping the OpeVPN net addresses, in my example config that is 192.168.254.253 and 192.168.254.254. If have gone that far, you only need to define routes to the internal network. For testing purpose, I only would route a single address. Having said that, the configuration would look like:

site A OpenVPN box:
OpenVPN local IP 192.168.254.253
        remote   192.168.254.254
local IP       128.128.1.253

site B OpenVPN box:
OpenVPN local IP 192.168.254.254
        remote   192.168.254.253
local IP       192.168.1.254

That way, if the OpenVPN boxes communicate with each other, they use 192.168.254.25x, but if used as a router, e.g. when pinging from somewhere else, they will leave the IP as-is (128.128.2.3 for instance), and that is the problem here.



On HO XP OpenVPN box:
> ping 192.168.254.254      should succeed
> ping 192.168.1.254      ok, learned by OpenVPN connection

> route add 192.168.1.0 mask 255.255.255.0 192.168.254.254
> ping 192.168.1.1      should fail, no route back, since default gateway on Site B is useless for this network


on Site B, we need a route back to site A either on your default gateway's routing table, or in local routing table. For test, I would set it on target box (192.168.1.1):
> route add 128.128.1.0 mask 255.255.255.0 192.168.1.254

Additionally, site B OpenVPN does not know of 128.128.1.x network, so on that box:
> route add 128.128.0.0 mask 255.255.255.0 192.168.254.253

site A OpenVPN box:
> ping 192.168.1.1      should work now
> tracert -d 192.168.1.1       should print out 192.168.1.253, 192.168.1.1

One thing is missing yet: the route to site B on site A. You will have to set the route to site B on site A's default gateway.

And to make it perfect, the routes on your OpenVPN boxes should not be static / persistent, but set with OpenVPN connection. Therefor, add following line to site A config:
route 192.168.1.0   255.255.255.0 vpn_gateway

and for site B:
route 128.128.1.0   255.255.255.0 vpn_gateway

0
 
venkataramanaiahsrAuthor Commented:
Sorry for the delay in accepting your solution. I really appreciate your valuable feedback on this matter.
But for time being we are going with win2000 vpn server and terminal services as myself and my team
are familiar with microsoft environment. and it has to be set up immediately. once it is up and running
i will try this.

Once again i thank you very much for patience in sharing the knowledge .


0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now