Link to home
Start Free TrialLog in
Avatar of unrealone1
unrealone1Flag for United Kingdom of Great Britain and Northern Ireland

asked on

LAN to LAN VPN - remoting into to the matrix from home

Hi All,

We have setup a triangle of LAN to LAN VPN's using IPsec. In the offices it all works fine, databases can be retrieved etc. However it appears not functional when you remote in from out of these sites into the matrix.

I have a user or two that like to work from home sometimes and need to access documents and databases from all 3 of these sites. When they client server VPN into one of the sites, they don't have network and file access to the others. One of the sites is set on a 192.168.1.xxx which is usually what most home networks are set on. However the other site should have no problem.

The site they VPN into we'll call site 1. Site 2 for the site that should have no problem and site 3 for the 192.168.1.xxx.

Home user connects to site 1 from home and can access site 1 resources. However cannot access site 2 or 3 (like I said I think I know the reasoning behind site 3). In the office it is all fine. The remote dial in user is set on the router. I assume that the user is smart enough to enter his windows credentials without getting scared of a username and password box, however this might just be the case.

Any other ideas would be appreciated.
Avatar of Muhammad Mulla
Muhammad Mulla
Flag of United Kingdom of Great Britain and Northern Ireland image

Initially, I would say try it yourself. Maybe from a cafe wifi network closeby?
Avatar of Michael Ortega
For your remote users you need to configure a hub & spoke design. What your mobile VPN users probably have access to from a NAT/ACL perspective is just the site that they are generating the tunnel to. That same site needs to have rules on it that allow the mobile VPN users to connect to the other sites. The other sites also need to know of the existence of the mobile VPN users' network (if it's a separate network from the main site they are connecting directly to). Of course, as you said, if the mobile VPN users' network overlaps one of the sites, they will not be able to access that site.

MO
Since the first time I ran into the problem with conflicting subnets (192.168.1.x at two locations in this case) I've set up all new networks with something other than the usual subnets (avoid 192.168.1.x, 192.168.0.x, 10.0.x.x, 10.1.x.x).  You can often set up the VPN client to direct ALL traffic through the VPN when connected which will avoid the problem, but that isn't always possible.

Your VPN life will be much easier if you can change the 192.168.1.x network to something else.  Alternately, change the client's network addressing.  This is likely easier in the short run but won't help you with any other client sites.
Change your split tunnel to full tunnel for remote vpn.
Avatar of unrealone1

ASKER

hi SIM50,

By full tunnel do you mean the client machine will use the gateway on the remote network?

Thanks for all comments on this
ASKER CERTIFIED SOLUTION
Avatar of SIM50
SIM50
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I will have to test it out however lots of information thank you very much