Solved

Need to add site to site vpn

Posted on 2013-12-05
13
540 Views
Last Modified: 2013-12-19
I have a client that needs to connect two offices with site to site vpn. Once device is a sonicwall tz210 which is no problem. The other office is using their isp's crappy router and it does not do ipsec vpn and we can't take it out.

I tried bridge mode but it kills their waiting room tv's (all part of the same service) and the first thing the isp does when there is an issue is reset the router and then all the settings are gone.

I need to add a vpn server but I need some suggestions. Is there a cheap ipsec vpn box I can buy? I checked the usual suspects like netgear and sonicwall but they are either ssl vpn or vpn routers.

I thought about adding vpn to the server, it is 2008 r2, but I was not sure if that will do site to site or if it is just for clients connecting.

Any help is appreciated.

Thanks
0
Comment
Question by:AJNS
  • 7
  • 6
13 Comments
 
LVL 20

Expert Comment

by:carlmd
ID: 39700662
If the other office does have a good firewall you could put a small Sonicwall there, and use the two to create a STS VPN. A TZ105 sells for about $380 with one year subscriptiona and would do the job.
0
 

Author Comment

by:AJNS
ID: 39700698
I was thinking of that but how would it work if the new sonic wall was not acting as the router? It would need a wan and LAN ip on different networks.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39701016
The Sonicwall would sit after the ISP router and take a WAN ip of either a fixed ip or assigned (either is possible).

The LAN ip would be something on the current LAN.

It would be a good idea if at least one of the two ends had a fixed ip address.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:AJNS
ID: 39701109
If I put the sonicwall after the isp router it will have an ip from the LAN, not the WAN. Fiber comes into this box and the LAN connects to the built in switch. Anything that plugs into that switch will have a LAN address.

What your suggesting could work if I could put it in parallel with the isp router but I can't do that here.

I had a vpn firewall behind the isp router, essentially doing double NAT, but that caused issues with the tv service.

I need a device that will go behind the isp router but be transparent to the LAN. I can't seem to find good information from netgear or sonicwall if their firewalls have a transparent mode and will still provide vpn.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39701216
Not sure what setup you have but a typical ISP router will either provide you with a fixed ip (or range) on its LAN side, or the  use of DHCP service. Do you have fixed ip addresses?

With a sonicall that fixed ip would become the ip address of the WAN interface, and then one address on the subnet you use on your LAN (say 192.168.1.x) would become the ip of the LAN interface of the Sonicwall.

You indicate fiber and tv, is this FIOS?
0
 

Author Comment

by:AJNS
ID: 39701252
It is very similar to FIOS but sold as a business package. It provides access to the internet, phone system and waiting room tv's.

I understand what you are saying about the IP addresses. That is the normal setup. But think of this as a home router from an isp because that is essentially what it is. There is no wan port, just five lan ports on the back. Those five lan ports have internal addresses, 192.168.2.x. There is no access at all to the wan port or the wan static ip. Any device plugged into the lan side of that box must have a 192.168.2 address.

This is sold as a network in a box. The only ports the customer has access to are the lan ports with internal IP addresses, DHCP etc all setup. The only feature it has I can use is the vpn pass through so I can put a vpn box behind it.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39701304
If I understand, then you do not have a fixed public ip address at this location, is that correct?

How about the other end of the proposed STS, does it have a fixed ip?

Do both ends of the proposed STS tunnel need to access each others resources, or is it one way?
0
 

Author Comment

by:AJNS
ID: 39703044
Both locations have static IP addresses.

I need data to flow both ways but only between two servers.
0
 
LVL 20

Expert Comment

by:carlmd
ID: 39703187
Given what you have said here a second Sonicwall behind the ISP device should do the trick. You would need to connect its wan ip to one of the 192.168.2.x ports. If you want all traffic to pass through it then all devices now on the lan with 192.168.2.x addresses whould have to be connected to the LAN side of the Sonicwall, and they would have to have their ip addresses changed to some other range non routable ip address range (like 10.0.0.x).

Unless the ISP device has a routable address you can use (not 192.168.1.x) in the outside world, you would not be able to address the tunnel to it from the far side. You would always have to initiate the tunnel from that side to the remote location, that hopefull has a routable address.
0
 

Author Comment

by:AJNS
ID: 39705958
I've tried that before and the double nat kills the tv service. That isp router delivers tv to the waiting rooms along with custom content. Some medical channel for doctors offices with ad's and weather. Kind of like at the mall.

The only way that would work is if the device would go in transparent mode so data would flow through it without changing IP's.

I thought about leaving the tv's and phones on the 192.168 and moving the computers to another range like 10.0.0. behind a device like a sonicwall but the everything in the office has and IP. Xray machines, diagnostic equipment, etc and I can't change all those without some serious work and coordinating with way too many people.

I was hoping somebody could suggest a box that would drop into the network in transparent mode or a dedicated vpn box.
0
 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
ID: 39705972
How about this. At the one location take one 192.168.1.x address and put that on the Sonicwall WAN port. Then add a second nic to the one server and give it a 10.0.0.x address. Now give the Sonicwall LAN port  a 10.0.0.x address. You should now be able to create a tunnel between the two Sonicwalls and allow access to only the server at that one location. Unfortunately that would not allow the people on the 192.168.1.x network to access the server at the other location unless you set up ip forwarding and had them connect to the server with the second nic to use it as a gateway.

I don't see how doing something like this would interfere with tv or anything else via the ISP device.

Your thoughts?
0
 

Author Comment

by:AJNS
ID: 39705984
That's a good idea. It will take me a few days to coordinate it and test it but I'll post back.

Thanks
0
 

Author Comment

by:AJNS
ID: 39728957
I was finally able to test this and for the longest time I was not able to get the vpn to connect. It was hard to troubleshoot because I didn't know if it was the tunnel or the isp router not passing the the data.

I eventually found it was the isp router even though I enabled vpn pass through. So I tried opening the ports manually and that didn't work either.

What I ended up doing was assigning the wan port of the sonicwall to the dmz of the isp router. Once I did that the tunnel came right up.

Thanks for the suggestions.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Juniper SRX 210H Throwing Error umass0: BBB reset failed, IOERROR 4 35
Sonicwall will not export settings 4 89
Cisco ASA 3 28
DMVPN Spoke Connectivity Issue 1 26
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question