Improve company productivity with a Business Account.Sign Up


VPN setup and planning - peer to peer network - soho

Posted on 2010-08-26
Medium Priority
Last Modified: 2012-06-18
I'm planning on setting up a VPN for a small office home office setup.  All PC systems will be running WinXP and the requirement is to have a remote user connect to the office's peer to peer network.  The remote user will only need to access one computer on the LAN.  I have several simple questions that need to be clarified:

1.  Is it mandatory that I purchase a VPN router or a UTM appliance with VPN capabilities?

I notice a lot of people on EE always talk about getting a VPN router to connect to another network.  My current networks only use simple Linksys routers with no VPN capabilities.  I do want to purchase a UTM appliance for this network in the future so I can enhance security.

2.  Will I also have to purchase VPN client software in addition to this or can I use the built-in software of WinXP?

I can easily setup the VPN server and client configurations for WinXP but I'm not sure if they're secure enough to use.  Can IPSEC and L2TP be setup easily on the WinXP built-in software?

3.  I have about 7 computers on the LAN but I only need the remote user to connect to one of the computers.  Do I need to order 7 static IP addresses or can I have one static address and the rest use DHCP?  

I told my internet service provider that I needed only one IP address but I wasn't sure.  I asked for assistance but they gave me the run around.  They just said we have to upgrade your modem.

4. If you pick the latter method of setting up the VPN (one static and rest DHCP), how would you setup the network layout?

modem - VPN router - LAN(server inside)?

modem - server - router - LAN?

modem - router - server - switch - LAN?
Question by:EE_User12
  • 10
  • 3
  • 3
  • +2

Assisted Solution

Blood earned 80 total points
ID: 33535517
1) You will need some device on both ends that are capable of establishing a point to point vpn tunnel using some agreed method of encryption.     You can use PC software and a hardware device (a la sonicwall) to do it as well, but you might as well buy two linksys vpn enabled firewalls and be done with it.

2) If you use network devices you will not need any software on the client to get data between locations

3) The VPN will terminate at the ingress point of the office just before you allocate your private IP space.  You should be able to route with only 1 IP address because you will be joining both networks and routing through the tunnel.


Home -> Firewall/VPN -> Internet <- Firewall/VPN - Network - Office

The point to point connection allows the networks to speak to each other if you wish, and the firewall allows you to dictate ACL's for the 1 home PC to speak to the 1 or 2 office PC's...etc.
LVL 63

Assisted Solution

SysExpert earned 600 total points
ID: 33535536
modem - VPN router - LAN(server inside)

Some routers support openSurce VPN clients which are generally more secure that the simple VPN client Windows has.

netscreen NS5GT is cheap on ebay an can handle  this.

 I hope this helps !

Assisted Solution

jimmyray7 earned 880 total points
ID: 33537252
If you don't want to purchase hardware, you can use OpenVPN to set up a secure tunnel.  Some configuration is required, but it's pretty well documented.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.


Author Comment

ID: 33538588
I am leaning towards Sonicwall appliances but if I were to get a used Netscreen appliance off ebay, how do I get a subscription to keep the appliance up-to-date?  I'm assuming this model has fallen off support.

My remote user will not be fixed to one area so my setup will most likely be a remote access VPN rather than site to site so I'm assuming that I need a 3rd party software to connect to my appliance?

After ordering the static ip address, I was given a gateway, usable IP address, subnet mask, primary and secondary DNS.  In order to access my server machine on my network, will the server be configured with a fixed IP address while the rest of the LAN machines are set to dynamic or is the router set to the usable ip address?  This is where I'm a bit confused.  


Assisted Solution

jimmyray7 earned 880 total points
ID: 33538799
Sonicwall's are very well regarded. Sonicwall also has a software VPN client for traveling users.

As far as your network setup, you've got it right. You'll give your servers private static IP addresses and your PCs can use DHCP.

Author Comment

ID: 33542478
So, if I had the following:

static IP

For the other LAN PCs:

I first set the router to DHCP and all NICs to obtain IPs and DNSs automatically.

Do I have to specify on the router the same address class range as the static IP to hand out addresses or do I keep them in a private address range?

For example, the DHCP will start giving out addresses at to 70.40.200.x


do I keep them in a private address range at to 192.168.1.x?

I also saw in a tutorial that a person used the route command. Is this something I have to do in addition to everything else?

Thanks to everyone.


Assisted Solution

dosdet2 earned 240 total points
ID: 33542646
One cool thing about sonicwall is that you can use the same subnet range at both sides and they do a translation so you don't have any conflicts with the duplication of IPs.  All devices can be accessed from either side (if Permissions allow).

I don't know is you have use for that, but for us - we have remote backup servers running with the same IP & DNS settings as the live servers.  That way if the backup servers are needed to run live, there is no configuration needed to install them.  
Just food for thought.

Accepted Solution

jimmyray7 earned 880 total points
ID: 33543296
You'll want to set the LAN side of the sonicwall to a private address range like the 192.... network you listed.  The WAN will get the public IP address.

You shouldn't need to issue any route commands with the setup you're proposing.  The sonicwall will handle that for you.

Sounds like you've got it all sorted out!  Let us know if you have any other questions.
LVL 63

Expert Comment

ID: 33543536
NS 5GT has next day support until the end of 2012.
You can buy support for about $70 per year, with the 1st year double that ( if not a new purchase )
10 VPN client licenses are about $100


Assisted Solution

dosdet2 earned 240 total points
ID: 33543683
I wanted to be clear on what I was saying about having the same subnet on both sides.  

I was talking about both sides of the VPN and not both sides of a router.  See attached Pic for explanation.

EE-User12, are you talking about client VPN's or Site-to-Site?

You have a lot of good information here!



Author Comment

ID: 33550506

I will be setting up a remote access VPN (client to site), not site to site.  I want a remote user to be able to access the server from anywhere and not restricted to a specific site.  The office is the only site with a static IP address.

Thanks to everyone, for filling in the knowledge gaps for me.  I'll take the next several weeks to try to put this together and see what I get.

Author Comment

ID: 33761641
Okay, thanks again to everyone who contributed.  Sorry it took so long to respond.  I've been busy tackling IT certs.

I purchased a SonicWall TZ-200 wireless UTM appliance.  I have setup the network as such:

Internet --- SonicWall TZ200 (wireless, DHCP) --- Simple Linksys Switch (10/100Mbps) --- LAN (4 workstations + 1 server)

DHCP is set on the SonicWall only and disabled on the Linksys switch to avoid conflict. All the workstation NICS are setup to DHCP now.  I plan to upgrade the switch to a gigabit switch in the future.

I was able to register the appliance and setup the basic things on the SonicWall appliance.  I haven't tackled the VPN stuff yet.  I will need to read the documetation on SonicWall's website.  

First I need to tackle a simple LAN issue.  All the computers on the Linksys switch can see each other and share resources with the server but the wireless laptops connecting through the SonicWall device are unable to see the server and the rest of the LAN.  The laptops can successfully connect to the SonicWall wirelessly and get Internet access only.  They just can't see or connect to the workgroup and its shares.

I'm using the basic interface settings:

W0   WLAN     static
X0     LAN     static
X1    WAN      (assigned static IP address)          static

I noticed that the wireless part defaulted to the private address etc....  I'm not sure if this is causing the problem.  Do I need to create a special route to the X0 interface?  I noticed that SonicWall has something under Networks | Routing with something called RIP advertisements.

Also in preparation for the VPN setup, do I have to set the server's NIC properties to the static IP addresses?  I have set all of these static address settings in my SonicWall appliance and Linksys switch.  All the computers are getting things currently through DHCP.


Author Comment

ID: 33764942
I was able to resolve the wireless issue with the SonicWall.  For those of you who can't get your wireless clients to access resources on your LAN, create a bridge between your WLAN and LAN interfaces.

Go to SonicWall's knowledge base and look up an article entitled "How to configure the WLAN Interface in L2 Bridge Mode (WLAN and LAN on same subnet)."  The KBID is 7081.

This will bridge the interfaces and allow your wireless clients to obtain an IP address from your SonicWall configured for DHCP and allow you to access resources on your LAN.

By default, the firewall access rules denies all traffic between the WLAN and LAN.  See SonicWall wireless article KBID 7454 for details.

Based on my research on EE and on the Web, I'm assuming alternative solutions to this problem include the following:

1.  Change the firewall access rules between WLAN and LAN.
2.  Give port access to a specific device (i.e. - printer)
3.  Use VPN to log wireless clients into your LAN.
4.  Disable the wireless capability in your SonicWall device and attach a access point direct to your LAN switch.

For security reasons, remember to harden your wireless device.

Now I'll be working on setting up the VPN connection.  Again, do I need to assign a static address to my server?  I'm currently using DHCP assigned addresses and I read something about static DHCP addresses for servers.  I most likely will attempt to setup things up with the GVC client software.

My plan is to setup the GVC client to the static IP addresses my ISP gave me and then log on to the static DHCP address on my LAN to access resources???  

LVL 63

Assisted Solution

SysExpert earned 600 total points
ID: 33765880
Looks good so far.

Servers generally have FIxed IPs, but depending on how you set up DNS, it may not be essential.

Your DHCP addresses will generally not change much unless you have a lot of computers and set up DHCP for a short lease.

Continue testing to see if your plan works out.


Author Comment

ID: 33789430
If my network for example was:

ip address
server on LAN

<these numbers are made up>

Do I configure the server to the static IP address given by the ISP, the static IP address of the gateway given by the ISP or the static private IP address on my LAN?

I have configured the server to a private address on my LAN.

For the Global VPN client which of the above addresses do I use?

I have configured it to the static gateway IP address.  
I am unable to ping the static IP address and can only ping the gateway address.

I am receiving errors with the GVC.  ISAKMP phase 1 is failing for the specific IP address.  Peer is not responding to the ISAKMP requests.  It also says that the localhost cannot find a specific MAC address in the interface table.


Author Comment

ID: 33791748
I was able to resolve everything.  I got the Global VPN Client (GVC) to connect to the SonicWall and it's working great.  Man this was a challenge.  I will write a summary at the very end to help other small business owners setup their own remote access to site VPN.

All my settings on the server side were correct.  SonicWall has a good video on how to setup the GVC on their website.  Look under the Technical Tutorials for a video entitled "Configuring the SonicWALL Global VPN Client."  My only problem was the client side configuration.

With my latest issue, make sure you do the following on the client side:

1.  In the GVC make sure you set the IP address to the usable IP address (i.e. - given by your ISP, not your gateway's IP address (i.e. -

2. After installing the GVC software, make sure to reboot the computer for changes to take effect.

3.  Make sure you disable the Windows firewall or give access to the GVC app.  If you have any other 3rd party firewall app (Norton or Avast), make sure you give permissions for the GVC to access the Internet and also open UDP ports 500 and 4500.

4.  If your client is behind a router and not directly connected to the cable/DSL modem, make sure the router is set to allow IPSec Nat Passthrough especially if you're using NAT.  NAT and IPSec don't go well together.

Basically, something was blocking the client from accessing the Internet and somehow I resolved this by double checking everything and resetting everything.

Thanks again to everyone for helping me achieve success.  I'll start handing out the points in a couple days.

Expert Comment

ID: 33791815
That's Great!  Thanks for the Client side info.  
I've done mainly site-to-site so I will be saving this for future reference.
Thanks, again.

Author Comment

ID: 33824057

Summary of How to Setup a Remote Access Client to a SonicWALL Site VPN for Small Businesses

goal:  How to setup a client to site VPN for a small business with a SonicWALL UTM appliance.

keywords:  SonicWALL UTM, client to site VPN, small business

When purchasing a static IP address from your ISP, you only need to purchase an IP address per division or per workgroup in your company.  You don't need to purchase a static IP address for every computer in your organization.  You can use DHCP or even set static PRIVATE IP addresses within your LAN.  In my case, I had one server on one workgroup that needed to be accessed by several remote users so I purchased only one static IP address from my ISP.  Don't expect the ISP to help you.  They know nothing about this.  They were there only to install a new modem.  I'm an IT professional but I do not specialize in networking.

Why not set the VPN as a site to site?  

Because I didn't want remote users to be tied down to one site.  The site to site setup is good for a remote office that wants to connect with the main office and the remote access setup provides my users with more flexibility.

I chose SonicWall because of its reputation and that it provides security services that are up-to-date.  I like all the UTM features that it provides and VPN was just one of those great features.
My network layout was the following:

Internet -- Modem -- SonicWall (TZ-200) -- Switch -- LAN Workgroup (server + multiple workstations (wired & wireless))

All documentation for the SonicWall was on their support website.  It wasn't included with the device.  Search the Knowledge Base and watch the tutorial videos on how to setup things.

You can setup a VPN with the Global VPN Client (GVC) or use their VPN-SSL feature.  In the former you have to install software on the clients' computers and in the latter, you use a web browser to access resources.  Note there are licensing restrictions with the VPN features so you have to buy the right number of access licenses per user.

Initially, the SonicWall device segregates the interface ports between the wireless devices and the LAN so if you're having problems getting your wireless users to connect to your LAN this is the reason.  They did this on purpose for security reasons but failed to mention it clearly in their quick setup pamphlet.  You can resolve this issue by bridging the wireless interface to the LAN interface.  See my previous posts for other recommendations.  Also make sure to harden your wireless settings since bridging the interfaces can give potential access to other (unauthorized) wireless users.

Any computer that I wanted to access on the LAN via the VPN, I set the computers with a static PRIVATE address with my DNS settings pointing to the WAN's settings.  Make sure to add the static private IP addresses to the SonicWALL.  See how to setup "static DHCP addresses" on the SonicWALL support site.  The static IP addresses your ISP gave you will be used for setting up the SonicWall and switches.  The rest of the computers on your LAN can use DHCP.
When setting up the GVC software, you will configure it to the WAN's static IP address, not the gateway's address but I believe there is an option in the software to use the gateway's address too.  If you have problems connecting with the GVC software, make sure you open up all the ports (UDP ports 500 & 4500) and reboot after installing the software so changes can take effect.  I believe you have to reboot because it installs some kind of adapter on the PC.  Make sure your routers or switches allow IPSec passthrough as well.  These tips will prevent you from receiving the failed ISAKMP negotiation error and the failed to find Mac address (00;60:73:xx:xx:xx) error.  These errors basically mean something is blocking the GVC from accessing the Internet.

After setting up the GVC and the static PRIVATE IP addresses properly, you can use these to access shared resources on your LAN by running \\private address\ or by using Microsoft's Remote Desktop pointing to the private IP address of the computer you want to access.  You can gain access to your server or any other computer on the LAN as long as they have a static PRIVATE IP address assigned to them.
The hardest things for me were dealing with the addresses and the annoying default settings that SonicWALL came with but with proper planning and setup and it can streamline things.  Use a combination of this thread, the SonicWALL support website, and Expert Exchange search to help you setup your SonicWALL UTM appliance with secure VPN access.  I also recommend that you do searches on how to harden your network, VPN, remote dektop, and other settings.  

Author Closing Comment

ID: 33824208
I left a summary to help anybody in the future.

Author Comment

ID: 33853297
Some additional related issues with setting up a SonicWALL VPN:

Pass Remote Desktop through the SonicWALL VPN tunnel

Client's Computer Loses Internet Connectivity with SonicWALL's Global VPN Client (GVC)


Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question