How do you do....it? Thread, IPSec SSL VPN p2p tunnel w/o Hardware in Technical; I want to make an IPSec point to point tunnel between 2 sites, but only one site has a router ...
17th August 2012, 11:06 AM #1
IPSec SSL VPN p2p tunnel w/o Hardware
I want to make an IPSec point to point tunnel between 2 sites, but only one site has a router capable of IPSec VPN, and its not possible to replace the hardware at the other end for another few months. Is there a firewall (software) appliance type thing that I can run in a VM that will do the p2p IPSec and routing between the networks? Smoothwall free perhaps?
17th August 2012, 11:18 AM #2
Do they have a windows server at each end, it has routign and VPN server/endpoint features baked in, it's a little more work setting it up without ISA/TMG/UAG but it can be done. Depending on the router it may be able to talk to a windows endpoint. I think that untangle dists have something like this but if you have the tools already another box may be excessive for a few months.
17th August 2012, 11:22 AM #3
yes theres a windows 2008R2 at each end. Using Raas is an option but i thought it might be easier using ipsec? Would ISA/TMG/UAG make it easier? Can install one of them (which is the latest?) if its easier than trying to do it straight with windows.
its a Netgear DG834GT Adsl with the DGTeam custom firmware at one end, and a TPLink thing at the other end which does have IPSec build in. I was planning on just using another TPLink at the Netgear end when I finally get on site in October.
17th August 2012, 12:01 PM #4
You can configure the Windows server as an IPsec or SSL VPN endpoint. TMG/UAG are the latest ones, UAG is the big one (univied access gateway) that handles all sorts of remote stuff, TMG (threat managment gateway) is the ISA replacement which has been discontinued and its features rolled in to server 2012 or UAG. TMG is a bit iffy and UAG is a nuclear bomb so it would probably be easiest to just use the built in windows tools to enable routing and create a tunnel between the two.
Untangle, Inc. in a VM at each end should do the job using openvpn in a usable gui appliance type form factor as opposed to the generic text based version where you may be eaten by a gru.
Personally for just a tunnel I'd just set it up under the existing systems unless you want to segreagate the systems and have lots of overhead room for an extra VM on each end and whatever additional pipeing required.
17th August 2012, 12:23 PM #5
Cool cheers, Ill just use windows. Thanks
17th August 2012, 01:11 PM #6
is there a step by step (aka idiots guide) to do it with windows server 2008R2?
17th August 2012, 01:32 PM #7
Umm, there does not appear to be any complete easy ones around for R2. there is the stuff below:
Tutorial How to Install VPN Server 2008 R2 - YouTube
Install & Configure Remote Access Server for VPN in Server 2008 - Part 1 - YouTube
Install and Configure DHCP Server in Server2008 - Part 2 - YouTube
Site to Site VPN Windows Server 2008 R2
Basicly you want to setup NPS on both sides and set up the servers with a couple of interfaces, set them up for both routing and remote access then setup a dial on demand tunnel for the respective remote subnets then setup the static routes to match them.
You'll need to do that stuff with another solution too but doing it step by step like this will probably give you a much better idea of how it all works.
Here's an EG thread that may be helpful:
setup VPN access on 2008R2
and another MS one
Last edited by SYNACK; 17th August 2012 at 01:33 PM.
Thanks to SYNACK from:
RabbieBurns (17th August 2012)
19th August 2012, 10:48 AM #8
OK, I have made some progress, basically stumbled blindly not really sure what I have done.
I have managed to get 2008R2-Scotland to connect to 2008R2-Sydney, the PPP interface gets an IP from Sydney.
I can ping from 2008R2-Scotland to the Sydney network
I cannot ping from any other Scotland Client to Sydney
I cannot ping to Scotland from anywhere in Sydney.
I can ping the Sydney IP on the PPP interface of 2008R2-Scotland
So the connection seems OK but I need to sort the routing both ways.
(and also what port(s) are requrored for RRAS as I have put 2008R2-Sydney in DMZ atm)
19th August 2012, 11:13 AM #9
Sounds like you're making good progress, if the tunnel is up and able to exchange pings the next step is to verify that routing is working propperly. Set a client pc's default gateway to the internal RRaS server internal interface to make sure that routing is enabled from internal to the tunnel.
You can then move to figuring out how you want to handle the routing, you may need to either put a route from your main router to the RRAS server in or pass all routable traffic via the RRAS server before it hits the gateway router.
As to the ports it depends on the protocol you are using and on the gateway firewalls as you probably want to enable those protocols only to and from the appropriate endpoints on the internet.
19th August 2012, 01:44 PM #10
setting the 2008r2-scotland machine as the default gateway on other clients doesnt work.
Adding a static route in the gateway to point to 2008r2-scotland doesnt work either.
Is there any other static routes i need to configure on 2008R2-Scotland?
This is the routing table on 2008r2-scotland:
From that, 220.127.116.11 is the WAN IP of Sydney, 192.168.3.0/24 is the sydney local net, 192.168.3.111 and 192.168.3.112 are the p2p Ip addresses.
IPv4 Route Table
Network Destination Netmask Gateway Interface Metri
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.45 26
18.104.22.168 255.255.255.255 192.168.2.1 192.168.2.45
127.0.0.0 255.0.0.0 On-link 127.0.0.1 30
127.0.0.1 255.255.255.255 On-link 127.0.0.1 30
127.255.255.255 255.255.255.255 On-link 127.0.0.1 30
192.168.2.0 255.255.255.0 On-link 192.168.2.45 26
192.168.2.45 255.255.255.255 On-link 192.168.2.45 26
192.168.2.164 255.255.255.255 On-link 192.168.2.164 30
192.168.2.255 255.255.255.255 On-link 192.168.2.45 26
192.168.3.0 255.255.255.0 192.168.3.112 192.168.3.111 26
192.168.3.111 255.255.255.255 On-link 192.168.3.111 26
22.214.171.124 240.0.0.0 On-link 127.0.0.1 30
126.96.36.199 240.0.0.0 On-link 192.168.2.45 26
188.8.131.52 240.0.0.0 On-link 192.168.2.164 30
184.108.40.206 240.0.0.0 On-link 192.168.3.111 26
255.255.255.255 255.255.255.255 On-link 127.0.0.1 30
255.255.255.255 255.255.255.255 On-link 192.168.2.45 26
255.255.255.255 255.255.255.255 On-link 192.168.2.164 30
255.255.255.255 255.255.255.255 On-link 192.168.3.111 26
I can ping 192.168.3.111 from all scotlnad clients when I add the static route pointing to 2008R2-Scotland to the main degault gw. Cant ping 192.168.3.112 though.
I have added a static route in the RAS part of the 2008R2-Scotland which is the reason that machine can ping the remote network, but it doesnt seem to work for other local Scotland clients:
19th August 2012, 02:01 PM #11
Also, do i need to replicate the setup at the other end to get Sydney talking to Scotland?
19th August 2012, 02:03 PM #12
Do both of the boxes have the routing role installed as well as VPN
How to configure Windows 2008 Server IP Routing
Configuring Windows 2008 R2 AD Multi Site with Routing and Route Access Configuration for the lab « SMTP Port 25
How do I make my Server 2008 (or R2) a router? - Welcome to the US SMB&D TS2 Team Blog - Site Home - TechNet Blogs
I'd be tempted to have a seporate ip network just for the tunnel like 192.168.4.1 and .2 just to isolate stuff a bit more routing wise and yes, with the different tunnel you would need to replicate the setup. You'd want the different IPs on the tunnel just to make sure that it always hits the VPN and opens the tunnel. It may work the other way but the seporate link network is more commonly used - in the cisco world at least.
19th August 2012, 02:33 PM #13
Oh and as to the ping, it is probably because the remote side had no route back to the local network, you could try adding a static route for the scotland subnet on the sydney side so that it knows where to pass packets back to as IP is end to end, each step must know a way to get back to where it needs to go.
19th August 2012, 02:41 PM #14
Certainly when I have used OpenVPN it uses a separate network for sure. Ill give those links a read at work in the morning, thanks
I have installed the role on both yes. Ill try with a separate network just now - i just left it as the default which was DHCP.
19th August 2012, 02:47 PM #15
Aha i figured it out. I changed the metric in the static route in RAS to 3 rather than the default 256 and it works.
Also replicated the setup in sydney. I can now ping from my laptop here to the scotland network.
That was pretty easy actually now I understand whats going on. Thanks for your help SYNACK.
By FN-GM in forum Wireless Networks
Last Post: 5th August 2009, 12:22 AM
By FN-GM in forum Classified Adverts
Last Post: 5th February 2009, 12:46 AM
By stevegwernyfed14 in forum Wireless Networks
Last Post: 27th November 2007, 11:42 AM
By Norphy in forum Wireless Networks
Last Post: 22nd June 2007, 03:13 PM
By stitch in forum MIS Systems
Last Post: 18th May 2007, 03:42 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)