• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 415
  • Last Modified:

VPN: IP Address allocation & Ports Query - URGENT

Hi Experts

I have a general & quick query with regards to VPNs.

I am looking to setup IPSEC VPN Tunnels & was wondering:

1. What ports need to be opened on the firewall to enable the VPN protocols?

2. I will have 6 remote sites connecting up to HQ. The HQ's lan IP setup is 192.168.0.xxx - if i setup all six remote sites with the IP address 192.168.1.xxx - will my VPN work or do i need to setup different IPs for all locations? (e.g. HQ: 192.168.0.xxx - Site1 = 192.1681.xxx - Site2 = 192.168.2.xxx - etc...)

What would the effects be if i were to have the sites with the same IP Addresses?

Thanks for your time & help!
0
BAFP
Asked:
BAFP
  • 4
  • 4
  • 3
2 Solutions
 
tonydav67Commented:
Can I just clarify what router you are using?  I'm assuming a Draytek Vigor 3300 from your tags but you don't specifically say.

Assuming you're using the 3300 or 3300V you should be setting up the VPN directly in the device. In this case you will not need to open ports as the VPN connection will be established between your client (at say your home) which will be establishing an outbound connection and hence have no need of port forwarding, and the Draytek at the other end.

Once the VPN is established you will then have access to the local LAN as defined in your VPN rules.

Normally, you would allow the Draytek to assign an IP address to each of the incoming VPN clients. It would assign them an address in the 192.168.0.xxx range.

This means that once a VPN is established, a remote site will have (at least) two IP addresses.  Their local address for access to their local LAN (which could be the 192.168.1.xxx range you mention) and the VPN address which will be in the 192.168.0.xxx.

Note that in no case should you give the remote sites a local IP address in the 192.168.0.xxx range. This should be reserved for your head office and the associated VPN connections.

Note if you're using the 3300B+ it doesn't support VPN directly rather VPN pass-through so the above won't apply to it. I'm assuming/hoping that isn't the case and you're using a 3300 or 3300V.
0
 
Amit BhatnagarCommented:
Is your Tunnel going to be a Pure IPSEC tunnel or something like L2TP over IPSEC? Also, you CANNOT use the same IP range for all the different Networks\Sites reason simply being that "you dont feel the urge to getup and walk to the Door unless you feel that the Destination is outside ur Door"..:)...Simply put...If the Sites are using the same Network ID their would be no communication as the packets would keep searching the Remote Network Machines in the same LAN as the Destination IP would belong to the same IP range. Packets only talk to a Default Gateway only when it is realized that the Destination IP off-subnet..:) Hope that clears it.
Also, if it is pure IPSEC Tunnel...Ports are IP 50, IP 51 (Note : These are IP and not UDP or TCP) and UDP 500.

http://support.microsoft.com/kb/233256

If it is L2TP over IPSEC, you will require an additional UDP 1701

Hope this helps..:)
0
 
BAFPAuthor Commented:
Thankys tonydav67 - Thanks for the info. The Router/Firewall is a Draytek 3300V - so yes the VPN tunnells will be starting or terminating at the firewall.

Bamit99 - thanks for the explanation - i guess i will have to have a variation of 192.168.xxx.yyy at different locations - is it best to have DHCP running at the "sites" or should i keep the IP addresses as static?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Amit BhatnagarCommented:
Use DHCP..:)...I have seen Admins using DHCP for as small as 5 Computers and a DC. I am expecting ur sites to be, if not too much then atleast a lil bigger than that. Also, if these sites have a local Server then use it as a DHCP as using DHCP over Tunnel can be tricky sometimes though it works.
0
 
tonydav67Commented:
BAFP, just to clarify; at the remote sites you can use any subnet range. You don't have to use 192.168.(anything).  You're only real consideration is that it is a private IP address range, of which the main ones are the 192.168.x.x range and the 10.x.x.x range, and ensuring that the remotes aren't using the same subnet range as your HQ.

Furthermore, at the remotes, you can use DHCP or assign a static IP address.  It won't matter as long as the IP address isn't part of the HQ address range.

From memory the 3300V will assign an address to the VPN connection. I think you actually give it a range of addresses to assign from. Certainly this is the way most VPN routers work.  Assuming this is the case, you will need to remove these addresses from your DHCP server (assign them as "reserved" addresses). Of course you may be using the inbuilt DHCP server in the 3300V and it may not need the addresses to be reserved.
0
 
BAFPAuthor Commented:
Thanks - i am aware the IP addresses cannot be the same for the HQ and the remote sites (i.e. if the HQ is 192.168.0.xxx then the remote sites can be 192.xxx.xxx.xxx or 10.xxx.xxx.xxx) however the confusion i have is:

Can all the remote sites be set on the subnet 192.168.1.xxx - will that work or do they all need to be different subnets?
0
 
BAFPAuthor Commented:
(sorry forgot to add that the remote sites cannot or shouldnt be 192.168.0.xxx)
0
 
Amit BhatnagarCommented:
BAFP, do you still have confusion regarding the IP scheming? If Yes, I can try and explain it again...Point is no matter what IP range you keep....They should NEVER be same on two different sites. If they are....Packets destined for the other Network will never leave the initiating Network as the Destination IP would be considered In-House.
0
 
tonydav67Commented:
BAFP, to answer your specific question.

"Can all the remote sites be set on the subnet 192.168.1.xxx - will that work or do they all need to be different subnets?"

To ensure I'm answering the right question, you want to have your HQ on subnet 192.168.0.xxx and all of your branches on subnet 192.168.1.xxx?

Are you intending to send traffic between each of the branches?  I.e. from Branch1 via the VPN at HQ to Branch2? If so the question is; how will the router be able to distinguish between the Branch1 subnet and the Branch2 subnet if they're using the same range?

Even if you're not communicating from Branch1 to Branch2 it will still unnecessarily complicate matters, even if the 3300V is able to work around it.  So I'd say it *might* work but I'd strongly recommend against trying it.

For interest, what is the reason for wanting all branches on the same subnet range?
0
 
BAFPAuthor Commented:
Thanks for all your help.

The only reason for trying to keep the IPs the same for the remote sites was purely to enable quicker or faster deployment.

I have setup the VPNs with different IP Subnets and it all seems to work fine!

Thanks again for your input...
0
 
Amit BhatnagarCommented:
I am glad it all worked out just fine for you. TC...:)
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now