Solved

Need to add site to site vpn

Posted on 2013-12-05
13
533 Views
Last Modified: 2013-12-19
I have a client that needs to connect two offices with site to site vpn. Once device is a sonicwall tz210 which is no problem. The other office is using their isp's crappy router and it does not do ipsec vpn and we can't take it out.

I tried bridge mode but it kills their waiting room tv's (all part of the same service) and the first thing the isp does when there is an issue is reset the router and then all the settings are gone.

I need to add a vpn server but I need some suggestions. Is there a cheap ipsec vpn box I can buy? I checked the usual suspects like netgear and sonicwall but they are either ssl vpn or vpn routers.

I thought about adding vpn to the server, it is 2008 r2, but I was not sure if that will do site to site or if it is just for clients connecting.

Any help is appreciated.

Thanks
0
Comment
Question by:AJNS
  • 7
  • 6
13 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 39700662
If the other office does have a good firewall you could put a small Sonicwall there, and use the two to create a STS VPN. A TZ105 sells for about $380 with one year subscriptiona and would do the job.
0
 

Author Comment

by:AJNS
ID: 39700698
I was thinking of that but how would it work if the new sonic wall was not acting as the router? It would need a wan and LAN ip on different networks.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39701016
The Sonicwall would sit after the ISP router and take a WAN ip of either a fixed ip or assigned (either is possible).

The LAN ip would be something on the current LAN.

It would be a good idea if at least one of the two ends had a fixed ip address.
0
 

Author Comment

by:AJNS
ID: 39701109
If I put the sonicwall after the isp router it will have an ip from the LAN, not the WAN. Fiber comes into this box and the LAN connects to the built in switch. Anything that plugs into that switch will have a LAN address.

What your suggesting could work if I could put it in parallel with the isp router but I can't do that here.

I had a vpn firewall behind the isp router, essentially doing double NAT, but that caused issues with the tv service.

I need a device that will go behind the isp router but be transparent to the LAN. I can't seem to find good information from netgear or sonicwall if their firewalls have a transparent mode and will still provide vpn.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39701216
Not sure what setup you have but a typical ISP router will either provide you with a fixed ip (or range) on its LAN side, or the  use of DHCP service. Do you have fixed ip addresses?

With a sonicall that fixed ip would become the ip address of the WAN interface, and then one address on the subnet you use on your LAN (say 192.168.1.x) would become the ip of the LAN interface of the Sonicwall.

You indicate fiber and tv, is this FIOS?
0
 

Author Comment

by:AJNS
ID: 39701252
It is very similar to FIOS but sold as a business package. It provides access to the internet, phone system and waiting room tv's.

I understand what you are saying about the IP addresses. That is the normal setup. But think of this as a home router from an isp because that is essentially what it is. There is no wan port, just five lan ports on the back. Those five lan ports have internal addresses, 192.168.2.x. There is no access at all to the wan port or the wan static ip. Any device plugged into the lan side of that box must have a 192.168.2 address.

This is sold as a network in a box. The only ports the customer has access to are the lan ports with internal IP addresses, DHCP etc all setup. The only feature it has I can use is the vpn pass through so I can put a vpn box behind it.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Expert Comment

by:carlmd
ID: 39701304
If I understand, then you do not have a fixed public ip address at this location, is that correct?

How about the other end of the proposed STS, does it have a fixed ip?

Do both ends of the proposed STS tunnel need to access each others resources, or is it one way?
0
 

Author Comment

by:AJNS
ID: 39703044
Both locations have static IP addresses.

I need data to flow both ways but only between two servers.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39703187
Given what you have said here a second Sonicwall behind the ISP device should do the trick. You would need to connect its wan ip to one of the 192.168.2.x ports. If you want all traffic to pass through it then all devices now on the lan with 192.168.2.x addresses whould have to be connected to the LAN side of the Sonicwall, and they would have to have their ip addresses changed to some other range non routable ip address range (like 10.0.0.x).

Unless the ISP device has a routable address you can use (not 192.168.1.x) in the outside world, you would not be able to address the tunnel to it from the far side. You would always have to initiate the tunnel from that side to the remote location, that hopefull has a routable address.
0
 

Author Comment

by:AJNS
ID: 39705958
I've tried that before and the double nat kills the tv service. That isp router delivers tv to the waiting rooms along with custom content. Some medical channel for doctors offices with ad's and weather. Kind of like at the mall.

The only way that would work is if the device would go in transparent mode so data would flow through it without changing IP's.

I thought about leaving the tv's and phones on the 192.168 and moving the computers to another range like 10.0.0. behind a device like a sonicwall but the everything in the office has and IP. Xray machines, diagnostic equipment, etc and I can't change all those without some serious work and coordinating with way too many people.

I was hoping somebody could suggest a box that would drop into the network in transparent mode or a dedicated vpn box.
0
 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
ID: 39705972
How about this. At the one location take one 192.168.1.x address and put that on the Sonicwall WAN port. Then add a second nic to the one server and give it a 10.0.0.x address. Now give the Sonicwall LAN port  a 10.0.0.x address. You should now be able to create a tunnel between the two Sonicwalls and allow access to only the server at that one location. Unfortunately that would not allow the people on the 192.168.1.x network to access the server at the other location unless you set up ip forwarding and had them connect to the server with the second nic to use it as a gateway.

I don't see how doing something like this would interfere with tv or anything else via the ISP device.

Your thoughts?
0
 

Author Comment

by:AJNS
ID: 39705984
That's a good idea. It will take me a few days to coordinate it and test it but I'll post back.

Thanks
0
 

Author Comment

by:AJNS
ID: 39728957
I was finally able to test this and for the longest time I was not able to get the vpn to connect. It was hard to troubleshoot because I didn't know if it was the tunnel or the isp router not passing the the data.

I eventually found it was the isp router even though I enabled vpn pass through. So I tried opening the ports manually and that didn't work either.

What I ended up doing was assigning the wan port of the sonicwall to the dmz of the isp router. Once I did that the tunnel came right up.

Thanks for the suggestions.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now