+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 36
How do you do....it? Thread, IPSec SSL VPN p2p tunnel w/o Hardware in Technical; I want to make an IPSec point to point tunnel between 2 sites, but only one site has a router ...
  1. #1

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199

    IPSec SSL VPN p2p tunnel w/o Hardware

    I want to make an IPSec point to point tunnel between 2 sites, but only one site has a router capable of IPSec VPN, and its not possible to replace the hardware at the other end for another few months. Is there a firewall (software) appliance type thing that I can run in a VM that will do the p2p IPSec and routing between the networks? Smoothwall free perhaps?

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    Do they have a windows server at each end, it has routign and VPN server/endpoint features baked in, it's a little more work setting it up without ISA/TMG/UAG but it can be done. Depending on the router it may be able to talk to a windows endpoint. I think that untangle dists have something like this but if you have the tools already another box may be excessive for a few months.

  3. #3

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    yes theres a windows 2008R2 at each end. Using Raas is an option but i thought it might be easier using ipsec? Would ISA/TMG/UAG make it easier? Can install one of them (which is the latest?) if its easier than trying to do it straight with windows.

    its a Netgear DG834GT Adsl with the DGTeam custom firmware at one end, and a TPLink thing at the other end which does have IPSec build in. I was planning on just using another TPLink at the Netgear end when I finally get on site in October.

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    You can configure the Windows server as an IPsec or SSL VPN endpoint. TMG/UAG are the latest ones, UAG is the big one (univied access gateway) that handles all sorts of remote stuff, TMG (threat managment gateway) is the ISA replacement which has been discontinued and its features rolled in to server 2012 or UAG. TMG is a bit iffy and UAG is a nuclear bomb so it would probably be easiest to just use the built in windows tools to enable routing and create a tunnel between the two.

    Untangle, Inc. in a VM at each end should do the job using openvpn in a usable gui appliance type form factor as opposed to the generic text based version where you may be eaten by a gru.

    Personally for just a tunnel I'd just set it up under the existing systems unless you want to segreagate the systems and have lots of overhead room for an extra VM on each end and whatever additional pipeing required.

  5. #5

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Cool cheers, Ill just use windows. Thanks

  6. #6

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    is there a step by step (aka idiots guide) to do it with windows server 2008R2?

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    Umm, there does not appear to be any complete easy ones around for R2. there is the stuff below:

    Tutorial How to Install VPN Server 2008 R2 - YouTube
    NSFW language

    Install & Configure Remote Access Server for VPN in Server 2008 - Part 1 - YouTube
    Install and Configure DHCP Server in Server2008 - Part 2 - YouTube

    Site to Site VPN Windows Server 2008 R2

    Basicly you want to setup NPS on both sides and set up the servers with a couple of interfaces, set them up for both routing and remote access then setup a dial on demand tunnel for the respective remote subnets then setup the static routes to match them.

    You'll need to do that stuff with another solution too but doing it step by step like this will probably give you a much better idea of how it all works.

    Here's an EG thread that may be helpful:
    setup VPN access on 2008R2

    and another MS one
    http://technet.microsoft.com/en-us/l...(v=ws.10).aspx
    Last edited by SYNACK; 17th August 2012 at 12:33 PM.

  8. Thanks to SYNACK from:

    RabbieBurns (17th August 2012)

  9. #8

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    OK, I have made some progress, basically stumbled blindly not really sure what I have done.

    I have managed to get 2008R2-Scotland to connect to 2008R2-Sydney, the PPP interface gets an IP from Sydney.
    I can ping from 2008R2-Scotland to the Sydney network
    I cannot ping from any other Scotland Client to Sydney

    I cannot ping to Scotland from anywhere in Sydney.
    I can ping the Sydney IP on the PPP interface of 2008R2-Scotland

    So the connection seems OK but I need to sort the routing both ways.

    (and also what port(s) are requrored for RRAS as I have put 2008R2-Sydney in DMZ atm)

  10. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    Sounds like you're making good progress, if the tunnel is up and able to exchange pings the next step is to verify that routing is working propperly. Set a client pc's default gateway to the internal RRaS server internal interface to make sure that routing is enabled from internal to the tunnel.

    You can then move to figuring out how you want to handle the routing, you may need to either put a route from your main router to the RRAS server in or pass all routable traffic via the RRAS server before it hits the gateway router.

    As to the ports it depends on the protocol you are using and on the gateway firewalls as you probably want to enable those protocols only to and from the appropriate endpoints on the internet.

  11. #10

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    setting the 2008r2-scotland machine as the default gateway on other clients doesnt work.

    Adding a static route in the gateway to point to 2008r2-scotland doesnt work either.

    Is there any other static routes i need to configure on 2008R2-Scotland?

    This is the routing table on 2008r2-scotland:

    Code:
    IPv4 Route Table
    ==========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metri
              0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.45    26
        60.123.123.23  255.255.255.255      192.168.2.1     192.168.2.45
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    30
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    30
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    30
          192.168.2.0    255.255.255.0         On-link      192.168.2.45    26
         192.168.2.45  255.255.255.255         On-link      192.168.2.45    26
        192.168.2.164  255.255.255.255         On-link     192.168.2.164    30
        192.168.2.255  255.255.255.255         On-link      192.168.2.45    26
          192.168.3.0    255.255.255.0    192.168.3.112    192.168.3.111    26
        192.168.3.111  255.255.255.255         On-link     192.168.3.111    26
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    30
            224.0.0.0        240.0.0.0         On-link      192.168.2.45    26
            224.0.0.0        240.0.0.0         On-link     192.168.2.164    30
            224.0.0.0        240.0.0.0         On-link     192.168.3.111    26
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    30
      255.255.255.255  255.255.255.255         On-link      192.168.2.45    26
      255.255.255.255  255.255.255.255         On-link     192.168.2.164    30
      255.255.255.255  255.255.255.255         On-link     192.168.3.111    26
    ==========================================================================
    From that, 60.123.123.123 is the WAN IP of Sydney, 192.168.3.0/24 is the sydney local net, 192.168.3.111 and 192.168.3.112 are the p2p Ip addresses.

    I can ping 192.168.3.111 from all scotlnad clients when I add the static route pointing to 2008R2-Scotland to the main degault gw. Cant ping 192.168.3.112 though.

    I have added a static route in the RAS part of the 2008R2-Scotland which is the reason that machine can ping the remote network, but it doesnt seem to work for other local Scotland clients:

    Capture.PNG

  12. #11

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Also, do i need to replicate the setup at the other end to get Sydney talking to Scotland?

  13. #12

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    Do both of the boxes have the routing role installed as well as VPN

    How to configure Windows 2008 Server IP Routing
    Configuring Windows 2008 R2 AD Multi Site with Routing and Route Access Configuration for the lab « SMTP Port 25
    How do I make my Server 2008 (or R2) a router? - Welcome to the US SMB&D TS2 Team Blog - Site Home - TechNet Blogs

    I'd be tempted to have a seporate ip network just for the tunnel like 192.168.4.1 and .2 just to isolate stuff a bit more routing wise and yes, with the different tunnel you would need to replicate the setup. You'd want the different IPs on the tunnel just to make sure that it always hits the VPN and opens the tunnel. It may work the other way but the seporate link network is more commonly used - in the cisco world at least.

  14. #13

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,038
    Thank Post
    852
    Thanked 2,664 Times in 2,261 Posts
    Blog Entries
    9
    Rep Power
    767
    Oh and as to the ping, it is probably because the remote side had no route back to the local network, you could try adding a static route for the scotland subnet on the sydney side so that it knows where to pass packets back to as IP is end to end, each step must know a way to get back to where it needs to go.

  15. #14

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Certainly when I have used OpenVPN it uses a separate network for sure. Ill give those links a read at work in the morning, thanks

    I have installed the role on both yes. Ill try with a separate network just now - i just left it as the default which was DHCP.

  16. #15

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Aha i figured it out. I changed the metric in the static route in RAS to 3 rather than the default 256 and it works.

    Also replicated the setup in sydney. I can now ping from my laptop here to the scotland network.

    That was pretty easy actually now I understand whats going on. Thanks for your help SYNACK.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Sonicwall SSL VPN 200 Problem
    By FN-GM in forum Wireless Networks
    Replies: 0
    Last Post: 4th August 2009, 11:22 PM
  2. [Wanted] Sonicwall SSL VPN
    By FN-GM in forum Classified Adverts
    Replies: 4
    Last Post: 4th February 2009, 11:46 PM
  3. SSL VPN
    By stevegwernyfed14 in forum Wireless Networks
    Replies: 12
    Last Post: 27th November 2007, 10:42 AM
  4. L2TP/IPSEC based VPN using ISA Server
    By Norphy in forum Wireless Networks
    Replies: 2
    Last Post: 22nd June 2007, 02:13 PM
  5. ePortal and SSL VPN
    By stitch in forum MIS Systems
    Replies: 7
    Last Post: 18th May 2007, 02:42 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •