Solved

VPN setup and planning - peer to peer network - soho

Posted on 2010-08-26
20
1,167 Views
Last Modified: 2012-06-18
I'm planning on setting up a VPN for a small office home office setup.  All PC systems will be running WinXP and the requirement is to have a remote user connect to the office's peer to peer network.  The remote user will only need to access one computer on the LAN.  I have several simple questions that need to be clarified:

1.  Is it mandatory that I purchase a VPN router or a UTM appliance with VPN capabilities?

I notice a lot of people on EE always talk about getting a VPN router to connect to another network.  My current networks only use simple Linksys routers with no VPN capabilities.  I do want to purchase a UTM appliance for this network in the future so I can enhance security.


2.  Will I also have to purchase VPN client software in addition to this or can I use the built-in software of WinXP?

I can easily setup the VPN server and client configurations for WinXP but I'm not sure if they're secure enough to use.  Can IPSEC and L2TP be setup easily on the WinXP built-in software?

3.  I have about 7 computers on the LAN but I only need the remote user to connect to one of the computers.  Do I need to order 7 static IP addresses or can I have one static address and the rest use DHCP?  

I told my internet service provider that I needed only one IP address but I wasn't sure.  I asked for assistance but they gave me the run around.  They just said we have to upgrade your modem.

4. If you pick the latter method of setting up the VPN (one static and rest DHCP), how would you setup the network layout?

modem - VPN router - LAN(server inside)?

modem - server - router - LAN?

modem - router - server - switch - LAN?
0
Comment
Question by:EE_User12
  • 10
  • 3
  • 3
  • +2
20 Comments
 
LVL 3

Assisted Solution

by:Blood
Blood earned 20 total points
ID: 33535517
1) You will need some device on both ends that are capable of establishing a point to point vpn tunnel using some agreed method of encryption.     You can use PC software and a hardware device (a la sonicwall) to do it as well, but you might as well buy two linksys vpn enabled firewalls and be done with it.

2) If you use network devices you will not need any software on the client to get data between locations

3) The VPN will terminate at the ingress point of the office just before you allocate your private IP space.  You should be able to route with only 1 IP address because you will be joining both networks and routing through the tunnel.

4)

Home -> Firewall/VPN -> Internet <- Firewall/VPN - Network - Office

The point to point connection allows the networks to speak to each other if you wish, and the firewall allows you to dictate ACL's for the 1 home PC to speak to the 1 or 2 office PC's...etc.
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 150 total points
ID: 33535536
modem - VPN router - LAN(server inside)

Some routers support openSurce VPN clients which are generally more secure that the simple VPN client Windows has.

netscreen NS5GT is cheap on ebay an can handle  this.

 I hope this helps !
0
 
LVL 8

Assisted Solution

by:jimmyray7
jimmyray7 earned 220 total points
ID: 33537252
If you don't want to purchase hardware, you can use OpenVPN to set up a secure tunnel.  Some configuration is required, but it's pretty well documented.
0
 

Author Comment

by:EE_User12
ID: 33538588
I am leaning towards Sonicwall appliances but if I were to get a used Netscreen appliance off ebay, how do I get a subscription to keep the appliance up-to-date?  I'm assuming this model has fallen off support.

My remote user will not be fixed to one area so my setup will most likely be a remote access VPN rather than site to site so I'm assuming that I need a 3rd party software to connect to my appliance?

After ordering the static ip address, I was given a gateway, usable IP address, subnet mask, primary and secondary DNS.  In order to access my server machine on my network, will the server be configured with a fixed IP address while the rest of the LAN machines are set to dynamic or is the router set to the usable ip address?  This is where I'm a bit confused.  


0
 
LVL 8

Assisted Solution

by:jimmyray7
jimmyray7 earned 220 total points
ID: 33538799
Sonicwall's are very well regarded. Sonicwall also has a software VPN client for traveling users.

As far as your network setup, you've got it right. You'll give your servers private static IP addresses and your PCs can use DHCP.
0
 

Author Comment

by:EE_User12
ID: 33542478
So, if I had the following:

Server
static IP 70.40.200.110
subnet 255.255.255.252


For the other LAN PCs:

I first set the router to DHCP and all NICs to obtain IPs and DNSs automatically.

Do I have to specify on the router the same address class range as the static IP to hand out addresses or do I keep them in a private address range?

For example, the DHCP will start giving out addresses at 70.40.200.111 to 70.40.200.x

or

do I keep them in a private address range at 192.168.1.100 to 192.168.1.x?


I also saw in a tutorial that a person used the route command. Is this something I have to do in addition to everything else?

http://homenethelp.com/vpn/router-routing.asp

Thanks to everyone.

0
 
LVL 8

Assisted Solution

by:dosdet2
dosdet2 earned 60 total points
ID: 33542646
One cool thing about sonicwall is that you can use the same subnet range at both sides and they do a translation so you don't have any conflicts with the duplication of IPs.  All devices can be accessed from either side (if Permissions allow).

I don't know is you have use for that, but for us - we have remote backup servers running with the same IP & DNS settings as the live servers.  That way if the backup servers are needed to run live, there is no configuration needed to install them.  
Just food for thought.
0
 
LVL 8

Accepted Solution

by:
jimmyray7 earned 220 total points
ID: 33543296
You'll want to set the LAN side of the sonicwall to a private address range like the 192.... network you listed.  The WAN will get the public IP address.

You shouldn't need to issue any route commands with the setup you're proposing.  The sonicwall will handle that for you.


Sounds like you've got it all sorted out!  Let us know if you have any other questions.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33543536
NS 5GT has next day support until the end of 2012.
You can buy support for about $70 per year, with the 1st year double that ( if not a new purchase )
10 VPN client licenses are about $100




0
 
LVL 8

Assisted Solution

by:dosdet2
dosdet2 earned 60 total points
ID: 33543683
I wanted to be clear on what I was saying about having the same subnet on both sides.  

I was talking about both sides of the VPN and not both sides of a router.  See attached Pic for explanation.

EE-User12, are you talking about client VPN's or Site-to-Site?

You have a lot of good information here!

:-)

Sonicwall-VPN.jpg
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:EE_User12
ID: 33550506
@dosdet2:

I will be setting up a remote access VPN (client to site), not site to site.  I want a remote user to be able to access the server from anywhere and not restricted to a specific site.  The office is the only site with a static IP address.

Thanks to everyone, for filling in the knowledge gaps for me.  I'll take the next several weeks to try to put this together and see what I get.
0
 

Author Comment

by:EE_User12
ID: 33761641
Okay, thanks again to everyone who contributed.  Sorry it took so long to respond.  I've been busy tackling IT certs.

I purchased a SonicWall TZ-200 wireless UTM appliance.  I have setup the network as such:

Internet --- SonicWall TZ200 (wireless, DHCP) --- Simple Linksys Switch (10/100Mbps) --- LAN (4 workstations + 1 server)

DHCP is set on the SonicWall only and disabled on the Linksys switch to avoid conflict. All the workstation NICS are setup to DHCP now.  I plan to upgrade the switch to a gigabit switch in the future.

I was able to register the appliance and setup the basic things on the SonicWall appliance.  I haven't tackled the VPN stuff yet.  I will need to read the documetation on SonicWall's website.  

First I need to tackle a simple LAN issue.  All the computers on the Linksys switch can see each other and share resources with the server but the wireless laptops connecting through the SonicWall device are unable to see the server and the rest of the LAN.  The laptops can successfully connect to the SonicWall wirelessly and get Internet access only.  They just can't see or connect to the workgroup and its shares.

I'm using the basic interface settings:

W0   WLAN     172.16.31.1     255.255.255.0     static
X0     LAN        192.168.1.1     255.255.255.0     static
X1    WAN      (assigned static IP address)          static

I noticed that the wireless part defaulted to the private address 172.16.31.1 etc....  I'm not sure if this is causing the problem.  Do I need to create a special route to the X0 interface?  I noticed that SonicWall has something under Networks | Routing with something called RIP advertisements.

Also in preparation for the VPN setup, do I have to set the server's NIC properties to the static IP addresses?  I have set all of these static address settings in my SonicWall appliance and Linksys switch.  All the computers are getting things currently through DHCP.

0
 

Author Comment

by:EE_User12
ID: 33764942
I was able to resolve the wireless issue with the SonicWall.  For those of you who can't get your wireless clients to access resources on your LAN, create a bridge between your WLAN and LAN interfaces.

Go to SonicWall's knowledge base and look up an article entitled "How to configure the WLAN Interface in L2 Bridge Mode (WLAN and LAN on same subnet)."  The KBID is 7081.

This will bridge the interfaces and allow your wireless clients to obtain an IP address from your SonicWall configured for DHCP and allow you to access resources on your LAN.

By default, the firewall access rules denies all traffic between the WLAN and LAN.  See SonicWall wireless article KBID 7454 for details.

Based on my research on EE and on the Web, I'm assuming alternative solutions to this problem include the following:

1.  Change the firewall access rules between WLAN and LAN.
2.  Give port access to a specific device (i.e. - printer)
3.  Use VPN to log wireless clients into your LAN.
4.  Disable the wireless capability in your SonicWall device and attach a access point direct to your LAN switch.

For security reasons, remember to harden your wireless device.


Now I'll be working on setting up the VPN connection.  Again, do I need to assign a static address to my server?  I'm currently using DHCP assigned addresses and I read something about static DHCP addresses for servers.  I most likely will attempt to setup things up with the GVC client software.

My plan is to setup the GVC client to the static IP addresses my ISP gave me and then log on to the static DHCP address on my LAN to access resources???  

 
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 150 total points
ID: 33765880
Looks good so far.

Servers generally have FIxed IPs, but depending on how you set up DNS, it may not be essential.

Your DHCP addresses will generally not change much unless you have a lot of computers and set up DHCP for a short lease.

Continue testing to see if your plan works out.

0
 

Author Comment

by:EE_User12
ID: 33789430
If my network for example was:

ip address          69.40.150.111
gateway            69.40.150.110
server on LAN  192.168.50.100

<these numbers are made up>

Do I configure the server to the static IP address given by the ISP, the static IP address of the gateway given by the ISP or the static private IP address on my LAN?

I have configured the server to a private address on my LAN.



For the Global VPN client which of the above addresses do I use?

I have configured it to the static gateway IP address.  
I am unable to ping the static IP address and can only ping the gateway address.


I am receiving errors with the GVC.  ISAKMP phase 1 is failing for the specific IP address.  Peer is not responding to the ISAKMP requests.  It also says that the localhost cannot find a specific MAC address in the interface table.

0
 

Author Comment

by:EE_User12
ID: 33791748
I was able to resolve everything.  I got the Global VPN Client (GVC) to connect to the SonicWall and it's working great.  Man this was a challenge.  I will write a summary at the very end to help other small business owners setup their own remote access to site VPN.

All my settings on the server side were correct.  SonicWall has a good video on how to setup the GVC on their website.  Look under the Technical Tutorials for a video entitled "Configuring the SonicWALL Global VPN Client."  My only problem was the client side configuration.

With my latest issue, make sure you do the following on the client side:

1.  In the GVC make sure you set the IP address to the usable IP address (i.e. -  69.40.150.111) given by your ISP, not your gateway's IP address (i.e. -  69.40.150.110).

2. After installing the GVC software, make sure to reboot the computer for changes to take effect.

3.  Make sure you disable the Windows firewall or give access to the GVC app.  If you have any other 3rd party firewall app (Norton or Avast), make sure you give permissions for the GVC to access the Internet and also open UDP ports 500 and 4500.

4.  If your client is behind a router and not directly connected to the cable/DSL modem, make sure the router is set to allow IPSec Nat Passthrough especially if you're using NAT.  NAT and IPSec don't go well together.

Basically, something was blocking the client from accessing the Internet and somehow I resolved this by double checking everything and resetting everything.

Thanks again to everyone for helping me achieve success.  I'll start handing out the points in a couple days.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 33791815
That's Great!  Thanks for the Client side info.  
I've done mainly site-to-site so I will be saving this for future reference.
Thanks, again.
0
 

Author Comment

by:EE_User12
ID: 33824057

Summary of How to Setup a Remote Access Client to a SonicWALL Site VPN for Small Businesses

goal:  How to setup a client to site VPN for a small business with a SonicWALL UTM appliance.

keywords:  SonicWALL UTM, client to site VPN, small business

When purchasing a static IP address from your ISP, you only need to purchase an IP address per division or per workgroup in your company.  You don't need to purchase a static IP address for every computer in your organization.  You can use DHCP or even set static PRIVATE IP addresses within your LAN.  In my case, I had one server on one workgroup that needed to be accessed by several remote users so I purchased only one static IP address from my ISP.  Don't expect the ISP to help you.  They know nothing about this.  They were there only to install a new modem.  I'm an IT professional but I do not specialize in networking.

Why not set the VPN as a site to site?  

Because I didn't want remote users to be tied down to one site.  The site to site setup is good for a remote office that wants to connect with the main office and the remote access setup provides my users with more flexibility.

I chose SonicWall because of its reputation and that it provides security services that are up-to-date.  I like all the UTM features that it provides and VPN was just one of those great features.
My network layout was the following:

Internet -- Modem -- SonicWall (TZ-200) -- Switch -- LAN Workgroup (server + multiple workstations (wired & wireless))

All documentation for the SonicWall was on their support website.  It wasn't included with the device.  Search the Knowledge Base and watch the tutorial videos on how to setup things.

You can setup a VPN with the Global VPN Client (GVC) or use their VPN-SSL feature.  In the former you have to install software on the clients' computers and in the latter, you use a web browser to access resources.  Note there are licensing restrictions with the VPN features so you have to buy the right number of access licenses per user.

Initially, the SonicWall device segregates the interface ports between the wireless devices and the LAN so if you're having problems getting your wireless users to connect to your LAN this is the reason.  They did this on purpose for security reasons but failed to mention it clearly in their quick setup pamphlet.  You can resolve this issue by bridging the wireless interface to the LAN interface.  See my previous posts for other recommendations.  Also make sure to harden your wireless settings since bridging the interfaces can give potential access to other (unauthorized) wireless users.

Any computer that I wanted to access on the LAN via the VPN, I set the computers with a static PRIVATE address with my DNS settings pointing to the WAN's settings.  Make sure to add the static private IP addresses to the SonicWALL.  See how to setup "static DHCP addresses" on the SonicWALL support site.  The static IP addresses your ISP gave you will be used for setting up the SonicWall and switches.  The rest of the computers on your LAN can use DHCP.
 
When setting up the GVC software, you will configure it to the WAN's static IP address, not the gateway's address but I believe there is an option in the software to use the gateway's address too.  If you have problems connecting with the GVC software, make sure you open up all the ports (UDP ports 500 & 4500) and reboot after installing the software so changes can take effect.  I believe you have to reboot because it installs some kind of adapter on the PC.  Make sure your routers or switches allow IPSec passthrough as well.  These tips will prevent you from receiving the failed ISAKMP negotiation error and the failed to find Mac address (00;60:73:xx:xx:xx) error.  These errors basically mean something is blocking the GVC from accessing the Internet.

After setting up the GVC and the static PRIVATE IP addresses properly, you can use these to access shared resources on your LAN by running \\private address\ or by using Microsoft's Remote Desktop pointing to the private IP address of the computer you want to access.  You can gain access to your server or any other computer on the LAN as long as they have a static PRIVATE IP address assigned to them.
The hardest things for me were dealing with the addresses and the annoying default settings that SonicWALL came with but with proper planning and setup and it can streamline things.  Use a combination of this thread, the SonicWALL support website, and Expert Exchange search to help you setup your SonicWALL UTM appliance with secure VPN access.  I also recommend that you do searches on how to harden your network, VPN, remote dektop, and other settings.  
0
 

Author Closing Comment

by:EE_User12
ID: 33824208
I left a summary to help anybody in the future.
0
 

Author Comment

by:EE_User12
ID: 33853297
Some additional related issues with setting up a SonicWALL VPN:

Pass Remote Desktop through the SonicWALL VPN tunnel
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_26514254.html

Client's Computer Loses Internet Connectivity with SonicWALL's Global VPN Client (GVC)
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_26519223.html

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now