Solved

Creating a Branch Office VPN for more than one user

Posted on 2011-03-24
38
743 Views
Last Modified: 2012-05-11
Hi,

I have set up basic VPN connections in the past to connect to my work network from home but this is my first foray into linking offices and mulitple users so if I am going in completely the wrong direction please let me know.

There is no Domain in place and each site just has a peer to peer network currently, in the future we will be moving towards and full Domain set up but for now I would like to get some quick connections made if possible.

I have a head office with an SQL server that I want branch office to be able to connect to through VPN.

I am planning on purchasing a Draytek Vigor 2820 for the home office and setting up a VPN account on the router.

Now at the remote site I can connect to the VPN using a WinXP pro machine and hit the SQL server via the IP address.

I am guessing I can set up seperate VPN accounts on the router for each client but I am limited to 32 accounts.

What is the best way to connect the site to the VPN and then share this connection out to the rest of the site.


Thanks in advance for your help
0
Comment
Question by:compbuild
  • 17
  • 14
  • 7
38 Comments
 
LVL 13

Expert Comment

by:murgroup
ID: 35208794
You can do it that way but it's a lot of administration of users and the Vigor will have to encrypt and decrypt each connection so performance may suffer.

If you have a static IP at the home office a hardware based VPN makes sense. Both the home office and remote office routers will need to support IPSec VPN. This will allow you to setup one connection between the offices. The remote office can have a dynamic IP and still connect. You just have to configure the home office router to allow this.

Because you don't have a DNS server on the network you can put an entry in the host file of each remote machine that points to the SQL server. This way they can get to it by name.
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 35212130
I think you want to have a subnet-to-subnet site-to-site VPN - just one.
This can be accomplished in a couple of ways:

- If you have more than one public IP address per site then:
Add a router ( like an RV042) at each site with its own public IP and a unique LAN address.
Then set up a VPN between the RV042s.
The subnets *must* be different at each site.
This has the advantage of segregating functions but also requires that the gateway device route traffic for the VPN to the "VPN device" on the LAN.

- If you have but a single public IP address per site then:
Use the site gateway/firewall/router to set up a site-to-site VPN.  
The RV042 will do this as will any number (most?) such routers/firewalls like a Juniper SSG-XX, etc.
This has the advantage that the one device controls routing to the VPN.

So, perhaps you can fit these ideas into your current equipment constraints.
0
 

Author Comment

by:compbuild
ID: 35213822
Thanks a lot guys its good to know I'm going in the right direction.

fmarshall, I looked at the RV042 router and it says it can have 50 IPSec VPN tunnels, does this mean 50 total users or could I have 50 sites connected with it with each site having 50 users connecting?

In reality I have 7 remote sites and about 150 total users

0
 

Author Comment

by:compbuild
ID: 35213901
Also

- If you have more than one public IP address per site then:
Add a router ( like an RV042) at each site with its own public IP and a unique LAN address.

Can I just connect this into my LAN and give it an external IP address as well as an Internal one ie I have a router say a BT infinity hub as the external connection then a switch coming from this, Can I plug the RV042 into the switch and give it an external address that I can hit from the other site.

Thanks
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35216458
A qualified "yes".   That's exactly how I've set up all of our sites.

However, the added public IP address has to be assigned by your ISP and the mechanism for connecting to your ISP has to be part of the system.  In my brief reading about the BT Infinity Hub, there is also a Openreach Modem.   So, in my configurations, the modem connects to that "Internet Switch" that I use and you mention.  Then, all the public-address ports of various devices connect to that same switch.  Then (I'm guessing) the BT Infinity Hub might be one of the devices on the internet switch using the Broadband port.  But the look of the BT Infinity Hub makes me think that *it* is really used here as a switch (a common element of hubs and routers) and it may take the place of the "internet switch".

I've found enough variation in methods for doing this, even with a single ISP, that you need to talk with them about multiple public IP addresses.  The most usual way I've found is that they assign you a block of addresses that includes a gateway address in that block that 's assigned to a device at their end.

And, yes, you would connect various devices as above to the LAN directly.  Typically there's a LAN Switch in the same room and you plug them into the LAN right there.  Each with their own LAN address of course.

The set of publicly-addressed devices that also connect to the LAN might look like this:
- LAN Internet Firewall
- Company site-to-site VPN device
- 3rd party VPN devices (such as to securely access a major applicationservice provider)

I hope it's obvious that each device must also be a type of firewall to prevent unwanted traffic between the internet and the LAN.  Limiting its function is usually easy enough.  And, with the intended firewall being the internet Gateway for the LAN, the expected open traffic is focused there.
0
 

Author Comment

by:compbuild
ID: 35216666
Thanks again fmarshall,  I am lucky in that I have two broadband lines coming into the office here so I can set up two internal LANs and test linking them over the internet all from this office.

I'm going to order in acouple of RV042's and get to work,  expect some more questions!
0
 
LVL 13

Expert Comment

by:murgroup
ID: 35217325
I only disagree with fmarshal on a few points. The main being the use of Cisco/Linksys at your remote sites. I'm not a big fan of Linksys for the remote sites as performance is less than stellar. If you want to go that route due to $$ ok. I don't know about the RV042 but have used the WRV210 and had good luck and decent performance. The VPN configuration options are also good. I would assume their interface is close to the same on both devices.

Again, save the money it will cost to get a static IP at the remote sites and put it into a good VPN device. I have many sites with dynamic IP's connected via VPN. Both the main office and remote office devices should support aggressive mode. Spend some time researching and reviewing different devices before purchasing. When looking for a device to support VPN's it should have good throughput and processing power. In addition to a good configuration menu. Since you are not well versed on VPN's make it as easy as possible on yourself while getting the best performance out of the equipment. The last thing you want is for your coworkers to call complaining how slow everything is.

Just my two cents.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35217346
Another way to test the VPNs themselves is to just create your own isolated "internet" on a work bench or desk using a switch or router and with a couple of computers for each LAN side.  You can use whatever public addresses you like in an isolated situation like this.  Once you have the VPNs capable of linking, then you can "go live" with the real internet connections.  

Also, you will surely want to have remote access to the VPN devices either by remoting into a computer on the remote LAN or by public side log in to the devices enabled - like https.  Then you can look at both control panels at once and make sure they are consistently set up.  Otherwise it can be very challenging!  Lots of travel time involved.... :-)
0
 

Author Comment

by:compbuild
ID: 35257584
OK, So the RV042's have arrived. I have added one to our network and given it an external IP address. I need to change the subnet on the other LAN here in the office and then I can add the second router and get testing the VPN.

Stand by for more questions!
0
 

Author Comment

by:compbuild
ID: 35263282
Just had a thought about the gateways of the host machines, say all machines in the branch office need to access the home office via the VPN does that mean I have to set the default gateway of all machines to be the IP address of the RV042, I'm guessing it does, this means all internet traffic will go through this as well, correct?
0
 
LVL 13

Expert Comment

by:murgroup
ID: 35263529
all branch offices will need independent subnets from the main office.
Ei... Main Office subnet 196.168.5.0
Office 1 subnet 192.168.6.0
Office 2 subnet 192.168.7.0 etc.

The rv042 for each office will handle dhcp and the gateway for each will be the rv042 address. I believe you said earlier there is no internal dns server. If that is the case you will have to edit the host file on each remote computer so it will know how to find the sql server. Something like sqlserver  192.168.5.10.

This is assuming the rv042 is the primary gateway at each office.
0
 
LVL 13

Expert Comment

by:murgroup
ID: 35263546
all branch offices will need independent subnets from the main office.
Ei... Main Office subnet 196.168.5.0
Office 1 subnet 192.168.6.0
Office 2 subnet 192.168.7.0 etc.

The rv042 for each office will handle dhcp and the gateway for each will be the rv042 address. I believe you said earlier there is no internal dns server. If that is the case you will have to edit the host file on each remote computer so it will know how to find the sql server. Something like sqlserver  192.168.5.10.

This is assuming the rv042 is the primary gateway at each office.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35263783
If you are using only one RV042 as both internet router and VPN router then:
- it will be the gateway
- the internet traffic will go through the local ISP as normal.
- each VPN traffic will go to the other end of the tunnel, presumably to another RV042 and onto a LAN.
- you don't need ANY routes as the router knows what to do with remote LAN/VPN traffic.  i.e. the needed routes will be there as a result of setting up the VPN(s).
But, I understand the VPN devices are separate in your layout.
So:
If you are using an RV042 as a separate VPN device, separate from the internet gateway then you need to have routes set up to for outgoing packets to reach the VPN device.  There are two ways:
- put a persistent route pointing to the other LAN on every computer that points to the local RV042 LAN address.  Most work and maintenance this way.
- put a route on the internet gateway device that sends remote LAN traffic to the local RV042 LAN address.  Less work, less maintenance.

One caveat:
If your local gateway device has stateful packet inspection then it may have to be told to pass responding packets from the local LAN to the remote LAN.  Here's why:
If you originate a packet on the local LAN, it will go to the gateway and on to the VPN device  (due to the added route above), no  problem.
When that packet arrives at the destination remote LAN it will go directly to the remote computer without involving the remote gateway at all.  Then, the response (as will all packets destined for the VPN) will go to the remote gateway device which has no packet state for the response and may drop the packet.
So, if you can't get ping responses from a remote LAN then:
1) make sure the remote computer's firewall is set to allow incoming ICMP.
2) look to see of the gateway devices are blocking the return traffic as above.

Each of the 50 will support one site-to-site VPN tunnel.  There is no notion of "users", only sites (as defined by their public IP addresses and LAN subnet).   So, if you have 7 sites that you want to connect to each other then you would have six tunnels per site that go to each of the other sites.
If you only want to connect each site to the main office then you'd have 6 tunnels at the main office and one tunnel at each of the branch offices.
I have one set up with 3 sites, 2 tunnels each, to reach all the other offices directly.

If you're using DSL, the link speeds will be limited by the lower upload speed as *every* connection is up on one end and down on the other.  This can be very limiting.

Also, I don't have experience with many tunnels running at once.  Since 2 works well, I suspect that 6 will work just as well.  But 50?, I don't know.... You seem to be in the realm of reasonableness.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35263842
If you're only testing then you can put a route in a PC at each end and not deal with setting up a route in the gateway device.  And, this may help you deal with / identify the Stateful Packet Inspection issue I mentioned.  This avoids it.  It's not a bad way to start.

So, if this works and the route in the gateway device doesn't work (with computers that *don't* have the route added) then you have a better idea where the problem lies.
0
 

Author Comment

by:compbuild
ID: 35279669
The subnets are sorted and the RV042 is going to be an additional gateway rather than the main internet gateway so It looks like a route on the Internet Router (2wire BT business hub) is going to be the way forward.

Its going to be 1 Tunnel per site as each office needs to connect to home office but doesn't have to connect to the other branches.

Good heads up on the Firewall, stateful packet inspection issue, I'm sure I will run into to it further in.

Thanks for your help so far

0
 

Author Comment

by:compbuild
ID: 35297147
OK, I've got two RV042 installed on two seperate Broadband line and interanl on two seperate LAN's on different Subnets.

I can ping the exteranl address for both but it doesn't seem to be very stable this morning i tried pinging both and got responses from both OK, all good I thought I'll try to set up the VPN then after a while I tried the ping again and got 2 replies and then 2 time outs then all time outs, I checked the fire wall settings and all seemed fine so I tried a few more times and eventually got responses again, tried it a good few times and got perfect responses, now after coming back from lunch the ping fails again.

Any ideas, is there some sort of setting to keep the router connected, I was thinking maybe it was like a wake on LAN type set up where it was asleep as such until it gets a request
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35297955
The setup would ideally be "connected all the time".  There is a "keep alive" check box in the Advanced section of settings.

*All* settings should be the same at each end - except the IP address differences, subnet masks, etc.

0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35298069
Here are the settings I've been using:
Interface WAN1
Enable checked
Local Security Gateway..... IP Only
IP Address [the local public/WAN IP
Local Security Group Type: Subnet
IP Address: Local LAN *Network* IP address for this device
Subnet Mask: Local LAN subnet mask
Remote security gateway type: IP Only
IP Address: Remote public IP
Remote Security Group Type: Subnet
IP Address: Remote LAN *Network* address
Subnet Mask: Remote LAN subnet mask
Keying mode: IKE with Preshared key
Group2
3DES
SHA1
28800
Perfect Forward Security: Checked
Phase2 DH Group Group2
Phase2 Encription 3DES
Phase2 Auth: SHA1
Phase2 SA life: 3600
Preshared Key: .......whatever......
ADVANCED:
Checked:
Keep-Alive
NAT Traversal (I don't remember why)
Dead Peer Detection (DPD) Interval: 10
0
 

Author Comment

by:compbuild
ID: 35298637
I have tried to replicate your settings but I am still just getting Waiting for connection in the status pane,

Would I need to enable IPsec on the router or something seeing as I am just trying to test the tunnel between the two routers I don't think there should be a problem with the adding routes to the BT routers or am I wrong?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:compbuild
ID: 35298713
When you say Network address..............

I have

 192.168.100.0,
 255.255.255.0 as one and

 192.168.1.0
 255.255.255.0 as the other is this correct?

As I understand it the above should mean one has a network address of 192.168.100 and the other 192.168.1
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35298951
Yes.
0
 

Author Comment

by:compbuild
ID: 35299130
OK so in the system diagnostics in the RV042 I can ping each of the other Public IPs form each side but still no connection
0
 
LVL 13

Expert Comment

by:murgroup
ID: 35300349
Don't enable NAT transversal you shouldn't need it. Try enabling netbios.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35300555
These should be Gateway to Gateway VPNs, yes?
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35300571
Also, I found it useful to start out with a simple password/phrase like "test".  It's easy to have typo and not get connected.
0
 

Author Comment

by:compbuild
ID: 35314839
OK, thanks for your help so far guys, I have the tunnel showing as connected on both RV042s now but I still can't ping the other network from host computers, I think I have the persistent route added using the local address of the RV042 as the gateway

Host IP address is 192.168.1.70
RV042 local address is 192.168.1.3
target network is 192.168.100.0 / 255.255.255.0

Route table has this entry

Network Destination    Netmask                 Gateway          Interface             Metric
192.168.100.0           255.255.255.0       192.168.1.3     192.168.1.70      1

 
0
 

Author Comment

by:compbuild
ID: 35314916
I can ping the external network from the RV042 using the diagnostic ping so it looks like it is close now, probably just need to allow the traffic on the BT routers or something
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35315501
Great!  "Connected" is good!

The route for the computer looks good.  You have to have it replicated at the other end computer:

Network Destination    Netmask                 Gateway          Interface             Metric
192.168.1.0           255.255.255.0       192.168.100.xxx     192.168.100.yyy      1

Then those two computers should be able to ping one another.

I just ran into a problem involving the Windows Firewall.  Heretofore we'd been using 3rd party firewalls.  The remote subnets need to be included.  For an XP Windows Firewall, here are the instructions for file and printer sharing:

Control Panel
Windows Firewall
Exceptions tab
Select:
File and Printer Sharing
Edit

Highlight TCP 139
Select: Change Scope
Select: Custom List
Enter:
10.109.0.0/255.255.252.0  <<<<note the "252" in there
OK

Highlight TCP 445
Do the same as above.

Highlight UDP 137
Do the same as above

Highlight UDP 138
Do the same as above

OK to finish.

Of course, ping / ICMP needs to be enabled on the computers firewalls .. just incoming I believe.  But you'd know that from within any of the LANs.
0
 

Author Comment

by:compbuild
ID: 35315915
Excellent, I was trying to ping the routers address and that wasn't working, when I tried to ping an IP of a computer it worked!

Thanks a lot for your help guys.

Now just to get the SQL server talking.

0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35316242
Good!  That's a good example of why the setup needs to be symmetrical.  The routers you mention probably didn't have the routes to direct any replies.  Also, I'm not sure that you can ping the VPN device LAN side IP from another LAN.  That behaviour may vary.  It seems in most cases it does work.

Well, if you're pinging the inside of one of the VPN devices remotely then it does know a route back directly over the VPN.  That seems to work.

Anyway, no one site is different than another.  So all the routes, etc. have to be done at each site.  Each device has to know how to send packets to the other subnet - either by default via a local gateway (which in turn "knows" where to direct the packets)  or by virtue of a special route on the computer directly to the VPN device.

When you evolve to using your gateways or whatever... to do the routing,  then the same applies.
0
 

Author Comment

by:compbuild
ID: 35326584
OK so the pings are now consistent and I have added the route on either end. I have added an entry in the host file for the client machine and I can ping the SQL server name succesfully.

I opened Enterprise manager but was unable to connect to the SQL server so I disabled the firewalls on each router and I was able to connect and browse tables etc.

I went back to look at the firewalls again to get them correct so I turned them on and check the connection failed, it did, so I turned them off again to check this was defintely the case and now I cannot connect to the SQL server at all.

I can still ping the server name from the remote host, I'm thinking I probably have problems getting through the BT routers now but those settings have remained constant so it is a bit strange that it worked once and not again
0
 
LVL 13

Expert Comment

by:murgroup
ID: 35326844
It's probably a port forwarding issue. I don't think you want to port forward the SQL port 1433 or udp 1434 as the RV042 forwarding is probably from WAN to LAN. Does the RV042 allow you to create a policy route or port triggering? Here are a couple of articles that might help point you in the right direction.

http://msdn.microsoft.com/en-us/library/ms175043.aspx

http://technet.microsoft.com/en-us/library/cc646023.aspx
0
 

Author Comment

by:compbuild
ID: 35327768
I've tried it with the firewall on the PC off so I don't think that is the problem, The thing that worries me is that it worked once and now refuses to work, makes me think the set up isn't going to be stable
0
 
LVL 13

Expert Comment

by:murgroup
ID: 35327863
Can you explain how the BT hub relates to the current config?
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35329301
This isn't like a client to site VPN.  There should be no port forwarding involved if I understand at all what you're doing.
The VPNs go from one site VPN device to another VPN site device.  Since those are ON the LANs, there should be no firewall involved - other than on individual computers, right?

So, no port forwarding.

0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 35329303
Getting everything to work together is the initial challenge.  I'd never use the term "instability" as it defies how things generally work.  
0
 

Author Comment

by:compbuild
ID: 35350099
"Getting everything to work together is the initial challenge.  I'd never use the term "instability" as it defies how things generally work."

I know what you mean fmarsahll and ordinarily I'd very much agree that it either works or doesn't work but so far with this I have been seeing some strange behaviour. anyway to update,

Tnnels are connected and I have successfully tested my applications and it all works, albeit a bit slowly, so a big thank you to everyone for their help so far.

However after a reboot of the client PC I can still ping the server via name but it when I try to map a network drive as I had before I get a message saying the network path was not found,

The ping is still working but after the reboot nothing else works, do I need to run a script or something to make the network link?

0
 

Author Comment

by:compbuild
ID: 35373379
Thanks fmarsahll and murgroup the setup seems to be working OK now, the speed is not great but I think that is a seperate issue so I am closing this question and will open another one on tweaking the settings to improve performance.

Thanks

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now