AJNS
asked on
Need to add site to site vpn
I have a client that needs to connect two offices with site to site vpn. Once device is a sonicwall tz210 which is no problem. The other office is using their isp's crappy router and it does not do ipsec vpn and we can't take it out.
I tried bridge mode but it kills their waiting room tv's (all part of the same service) and the first thing the isp does when there is an issue is reset the router and then all the settings are gone.
I need to add a vpn server but I need some suggestions. Is there a cheap ipsec vpn box I can buy? I checked the usual suspects like netgear and sonicwall but they are either ssl vpn or vpn routers.
I thought about adding vpn to the server, it is 2008 r2, but I was not sure if that will do site to site or if it is just for clients connecting.
Any help is appreciated.
Thanks
I tried bridge mode but it kills their waiting room tv's (all part of the same service) and the first thing the isp does when there is an issue is reset the router and then all the settings are gone.
I need to add a vpn server but I need some suggestions. Is there a cheap ipsec vpn box I can buy? I checked the usual suspects like netgear and sonicwall but they are either ssl vpn or vpn routers.
I thought about adding vpn to the server, it is 2008 r2, but I was not sure if that will do site to site or if it is just for clients connecting.
Any help is appreciated.
Thanks
Carl Dula
If the other office does have a good firewall you could put a small Sonicwall there, and use the two to create a STS VPN. A TZ105 sells for about $380 with one year subscriptiona and would do the job.
ASKER
I was thinking of that but how would it work if the new sonic wall was not acting as the router? It would need a wan and LAN ip on different networks.
The Sonicwall would sit after the ISP router and take a WAN ip of either a fixed ip or assigned (either is possible).
The LAN ip would be something on the current LAN.
It would be a good idea if at least one of the two ends had a fixed ip address.
The LAN ip would be something on the current LAN.
It would be a good idea if at least one of the two ends had a fixed ip address.
ASKER
If I put the sonicwall after the isp router it will have an ip from the LAN, not the WAN. Fiber comes into this box and the LAN connects to the built in switch. Anything that plugs into that switch will have a LAN address.
What your suggesting could work if I could put it in parallel with the isp router but I can't do that here.
I had a vpn firewall behind the isp router, essentially doing double NAT, but that caused issues with the tv service.
I need a device that will go behind the isp router but be transparent to the LAN. I can't seem to find good information from netgear or sonicwall if their firewalls have a transparent mode and will still provide vpn.
What your suggesting could work if I could put it in parallel with the isp router but I can't do that here.
I had a vpn firewall behind the isp router, essentially doing double NAT, but that caused issues with the tv service.
I need a device that will go behind the isp router but be transparent to the LAN. I can't seem to find good information from netgear or sonicwall if their firewalls have a transparent mode and will still provide vpn.
Not sure what setup you have but a typical ISP router will either provide you with a fixed ip (or range) on its LAN side, or the use of DHCP service. Do you have fixed ip addresses?
With a sonicall that fixed ip would become the ip address of the WAN interface, and then one address on the subnet you use on your LAN (say 192.168.1.x) would become the ip of the LAN interface of the Sonicwall.
You indicate fiber and tv, is this FIOS?
With a sonicall that fixed ip would become the ip address of the WAN interface, and then one address on the subnet you use on your LAN (say 192.168.1.x) would become the ip of the LAN interface of the Sonicwall.
You indicate fiber and tv, is this FIOS?
ASKER
It is very similar to FIOS but sold as a business package. It provides access to the internet, phone system and waiting room tv's.
I understand what you are saying about the IP addresses. That is the normal setup. But think of this as a home router from an isp because that is essentially what it is. There is no wan port, just five lan ports on the back. Those five lan ports have internal addresses, 192.168.2.x. There is no access at all to the wan port or the wan static ip. Any device plugged into the lan side of that box must have a 192.168.2 address.
This is sold as a network in a box. The only ports the customer has access to are the lan ports with internal IP addresses, DHCP etc all setup. The only feature it has I can use is the vpn pass through so I can put a vpn box behind it.
I understand what you are saying about the IP addresses. That is the normal setup. But think of this as a home router from an isp because that is essentially what it is. There is no wan port, just five lan ports on the back. Those five lan ports have internal addresses, 192.168.2.x. There is no access at all to the wan port or the wan static ip. Any device plugged into the lan side of that box must have a 192.168.2 address.
This is sold as a network in a box. The only ports the customer has access to are the lan ports with internal IP addresses, DHCP etc all setup. The only feature it has I can use is the vpn pass through so I can put a vpn box behind it.
If I understand, then you do not have a fixed public ip address at this location, is that correct?
How about the other end of the proposed STS, does it have a fixed ip?
Do both ends of the proposed STS tunnel need to access each others resources, or is it one way?
How about the other end of the proposed STS, does it have a fixed ip?
Do both ends of the proposed STS tunnel need to access each others resources, or is it one way?
ASKER
Both locations have static IP addresses.
I need data to flow both ways but only between two servers.
I need data to flow both ways but only between two servers.
Given what you have said here a second Sonicwall behind the ISP device should do the trick. You would need to connect its wan ip to one of the 192.168.2.x ports. If you want all traffic to pass through it then all devices now on the lan with 192.168.2.x addresses whould have to be connected to the LAN side of the Sonicwall, and they would have to have their ip addresses changed to some other range non routable ip address range (like 10.0.0.x).
Unless the ISP device has a routable address you can use (not 192.168.1.x) in the outside world, you would not be able to address the tunnel to it from the far side. You would always have to initiate the tunnel from that side to the remote location, that hopefull has a routable address.
Unless the ISP device has a routable address you can use (not 192.168.1.x) in the outside world, you would not be able to address the tunnel to it from the far side. You would always have to initiate the tunnel from that side to the remote location, that hopefull has a routable address.
ASKER
I've tried that before and the double nat kills the tv service. That isp router delivers tv to the waiting rooms along with custom content. Some medical channel for doctors offices with ad's and weather. Kind of like at the mall.
The only way that would work is if the device would go in transparent mode so data would flow through it without changing IP's.
I thought about leaving the tv's and phones on the 192.168 and moving the computers to another range like 10.0.0. behind a device like a sonicwall but the everything in the office has and IP. Xray machines, diagnostic equipment, etc and I can't change all those without some serious work and coordinating with way too many people.
I was hoping somebody could suggest a box that would drop into the network in transparent mode or a dedicated vpn box.
The only way that would work is if the device would go in transparent mode so data would flow through it without changing IP's.
I thought about leaving the tv's and phones on the 192.168 and moving the computers to another range like 10.0.0. behind a device like a sonicwall but the everything in the office has and IP. Xray machines, diagnostic equipment, etc and I can't change all those without some serious work and coordinating with way too many people.
I was hoping somebody could suggest a box that would drop into the network in transparent mode or a dedicated vpn box.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That's a good idea. It will take me a few days to coordinate it and test it but I'll post back.
Thanks
Thanks
ASKER
I was finally able to test this and for the longest time I was not able to get the vpn to connect. It was hard to troubleshoot because I didn't know if it was the tunnel or the isp router not passing the the data.
I eventually found it was the isp router even though I enabled vpn pass through. So I tried opening the ports manually and that didn't work either.
What I ended up doing was assigning the wan port of the sonicwall to the dmz of the isp router. Once I did that the tunnel came right up.
Thanks for the suggestions.
I eventually found it was the isp router even though I enabled vpn pass through. So I tried opening the ports manually and that didn't work either.
What I ended up doing was assigning the wan port of the sonicwall to the dmz of the isp router. Once I did that the tunnel came right up.
Thanks for the suggestions.