Solved

Two VPNs to same IP Address

Posted on 2013-06-24
5
1,173 Views
Last Modified: 2013-06-25
I've got a Sonicwall TZ205 at each of two locations. There is an IP phone system server at the main location and IP phones at the remote location. Currently, phones share a VPN between offices along with remote desktop applications and file transfer. The main location has 2 separate internet connections (only one is used at the moment). I would like to setup 2 VPNs between the offices. Firstone being the current and second being for the phone system only. The remote location only has 1 static IP address so I would be creating 2 VPNs going to the same IP address. The configuration page warns you about this and the settings for one end up stomping all over the settings for the other. Does anybody have any ideas about how to get this to happen?
Thanks.
0
Comment
Question by:Dalamar9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
TomRScott earned 500 total points
ID: 39272908
Static IP addresses are fairly cheap. I would consider getting a second static address for the remote location.

Given that the documentation warns against two VPNs from the same firewall destined to a single VPN, that would be the simplest, safest and possibly cheapest solution.

 - Tom
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39275289
The first issue I would consider would be:

What are the subnets involved?
If you have only one subnet at a site (and one public IP address) then I think there's "no way".
That's because packets destined for the remote subnet will be routed to "THE" VPN device.  And "THE" VPN device will route to the appropriate tunnel for that subnet.  

Even if you have multiple public addresses, how to get around the common subnet issue?  I don't think you can.

So, if this is what's going on then I don't see how it's surmountable.  Hopefully the VOIP uses a different subnet than the computer LAN at each site.
0
 

Author Comment

by:Dalamar9
ID: 39275935
I'm working on getting another IP address at the remote location, but I'm planning on using the routing capability of the sonicwall to split the traffic. I can set it up so that all traffic from an IP address (phone server on one side) to/from a group of IP addresses (phones on other side) goes through VPN2 and all other traffic from one subnet to the other goes through VPN1.

I was playing around with the idea of using a second (extra) sonicwall behind the first since I could create a third subnet as an intermediary, but I was having trouble routing the traffic correctly.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 39276215
I'm not at all sure that you need more than one public address per site.
I can envison Tunnel 1:
subnet 1A <> Public Address 1 <>Tunnel A<> Public Address 2 <> subnet 2A
and Tunnel 2:
subnet 1B <> Public Address 1 <>Tunnel B<> Public Addressd 2 <> subnet 2B.

What's important is that subnets 1A, 1B, 2A and 2B are all different.
It shouldn't matter that the Public Addresses used are single addresses per site as long as the device can terminate multiple tunnels.

Example:
Packet launched from subnet 1A destined for subnet 2A.
Is directed into Tunnel A and reaches subnet 2A.
Packet launched from subnet 1B destined for subnet 2B
Is directed into Tunnel B and reaches subnet 2B.
That the public addresses involved in the 2 separate tunnels are the same may not matter.
How the routing is done to reach the subnets is a detail that should be amenable to handling.

I think this works......
0
 

Author Closing Comment

by:Dalamar9
ID: 39276339
The device is the shortcoming here. It won't negotiate 2 different IKE authentication proposals to the same destination. I had asked the question to see if anyone was familiar enough with the device that we could figure out a way around the issue.
I was able to get the powers that be to order multiple addresses for our account and it should be provisioned tomorrow.
Thanks everyone for your comments.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Node.js 11 82
Linux Server mapping drive using SSH key 9 53
Cisco Nexus 9372 port channel 3 45
Unable to enable HWIC 2FE 2 31
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question