Announcement

Collapse
No announcement yet.

LAN to LAN VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LAN to LAN VPN

    Hi

    We have a couple of staff who work in a local council office. They connect their laptops to the council office LAN, establish a VPN connection to our network and then do their work. The VPN is used for Internet access, IMAP access and of course their data which sits on our server.

    The powers that be who run the IT in the council office have decided that after 4 years of this working fine, that these 2 laptops pose a security risk (they could conceivably infect the council LAN with malware), and we have been told that we need to purchase a Wi-Fi device that can be setup so that it is permanently connected via VPN to our network. The two members of staff would then connect to the device and effectively be on our network.

    My question is, I have looked at products like Aerohive, but they seem pretty expensive from a charity perspective, so I was wondering if any UK forum members could recommend a device that has this capability and which may be cheaper.

    I ask because this is completely new to me and I don't want to purchase something that is not up to the job.

    Thanks!
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: LAN to LAN VPN

    IME you are always best sticking with the same brands at both end, so I'd match whatever router you have at your main office. Theoretically an IPSEC VPN is an IPSEC VPN, but in practice where I've had, for example, a Draytek at one end and a Netgear at the other there have been stability issues.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: LAN to LAN VPN

      Thanks. We have a Dratek 2830 and use L2TP. I'll look at another Draytek.
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: LAN to LAN VPN

        I've setup IPSEC tunnels on those before, it's a bit of a PITA IIRC because of the interface. Might be different in the newer firmware, but the old ones used to have to be configured twice, once for each direction of the tunnel.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: LAN to LAN VPN

          Going through this again it is simpler than I first thought. The VPN needs to be one way from the remote office to ours. The council's IT providers want our machines off their network so I just need to setup a wireless device which I can configure so that there is a permanent VPN connection to our office. I don't need to access the remote computers and I doubt the IT provider would allow access anyway.

          Thanks for the suggestions thus far. I now need to learn how to setup a permanent one way VPN connection. I'll go through the usual sites but if anyone has any resources which they have found very useful I would appreciate it you could share them. I don't have the luxury of time on my side to fully research it so I need to get this right first time.
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: LAN to LAN VPN

            All you need to know in advance is the external IPs of both ends of the tunnel, and the subnet ranges that are behind them. All the rest of the stuff you just need to make sure is the same at both ends. You'll probably be using a pre-shared key, and pick IPSEC options from the dropdowns for the Main Mode and Quick Mode SAs.

            Draytek have an article that may help.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment


            • #7
              Re: LAN to LAN VPN

              Thanks. I have also seen this article.

              Going through it, I have realised (once again) that my setup is a little different because I do not have control of the remote office gateway. The permanent VPN connection must be established from a Wi-Fi device that will in turn be connected to the gateway.

              This is the setup as I understand it. The items in red are beyond my control:


              Can the Draytek be configured to point to another gateway? I've only ever configured Draytek devices as gateways or as dumb Wi-Fi points where Windows DHCP gave the clients the DNS info (our network is very basic).

              Will I need to look at purchasing a different type of device?
              Attached Files
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: LAN to LAN VPN

                Shouldn't be an issue. The Draytek at the remote end will need to be the dialer/initiator as I would assume they won't allow a port forward on the gateway there, so you will never be able to initiate the connection from the head office end which I doubt is an issue.

                I think the 2830 has an Ethernet WAN port as well as ADSL so can still be used, but it'll need a static IP on the network for it's WAN port and then you have your own subnet behind it.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                sigpic
                Cruachan's Blog

                Comment


                • #9
                  Re: LAN to LAN VPN

                  Thank you very much. I was looking at the Ethernet WAN port and wondered if that was what I needed to configure. And, yes, the Wi-Fi device will be given a static IP address. It's all starting to come together in my mind now. Thanks again.

                  I'll do more research on this and may just have a couple of Q's.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: LAN to LAN VPN

                    Can I run this past someone, please?

                    I've configured what will be the remote wireless Draytek router and our own office router for LAN to LAN VPN. The VPN connection will be 'always on'. There is no other network access at the remote office. The staff will connect to the Wi-Fi, and then be on the VPN without further ado (I hope).


                    Details:
                    Remote Office:
                    Remote office Draytek = 10.208.73.200/255.255.254.0
                    Remote office gateway = 10.208.73.254
                    The remote office Draytek will have a permanent VPN connection to our office.

                    Remote Draytek connection details:
                    I have disabled the ADSL connection settings under WAN > General Setup > WAN1 (ADSL)
                    I have disabled the ADSL settings under WAN > Internet Access > WAN1 (ADSL)
                    I have configured the Ethernet settings under WAN > Internet Access > WAN2 (Ethernet) as: Static or Dynamic IP > static IP, subnet mask and gateway defined. (Enable + Specify an address) as shown above

                    Remote Draytek DHCP:
                    I need to set up DHCP on the remote office Draytek. Because each LAN needs to be on a different subnet I assume I can use 10.208.73.10 as the starting point, and that the remote office gateway address will be the DNS server. Only two people will be connecting so the default pool of 10 will be sufficient.



                    Now, as I have never done this before I don't know if further configuration of the client computers will be required. Will the staff be able to join the Wi-Fi network created by the router and then simply be able to access our servers because the VPN connection will already be established?

                    I have to get this right first time because I cannot expect any help at the Remote Office. As I will need to be at the remote office to install the router there is no one at the other end of the VPN tunnel who can help in case the connection does not work.

                    I will, therefore, be extremely grateful if anyone can help verify these details or offer helpful suggestions.

                    Thanks.

                    [Edit]
                    Right - I've read that when 10.208.73.x PC requests a 192.168.0.x address, the request is automatically routed over the VPN. Also, I can piggy-back on another company's Wi-Fi while at the remote office which means I can access our (the destination) router over the Internet if any settings need to be changed.
                    Last edited by Blood; 20th November 2014, 16:21.
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment


                    • #11
                      Re: LAN to LAN VPN

                      Does anyone know if setting up a permanent VPN connection between two routers will affect other (traditional, normal), PC --> Network VPN connections?
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment


                      • #12
                        Re: LAN to LAN VPN

                        Just waiting for the people who manage the remote office's IT to verify the VPN traffic will pass through their firewall.

                        I had to make a change to the config on the routers as the guide published by Draytek assumes that no other VPN connections are being made. When I set up the 'always on' PPTP LAN to LAN VPN profiles our office router stopped 'on demand' VPN connections from being made (staff were getting error 718 : the remote computer did not respond in a timely fashion).

                        Windows 'on demand' VPN connections use PPTP by default. I changed the LAN to LAN profiles to use L2TP and staff were able to connect again.

                        My only concern now is whether the L2TP will work because I have not been able to test it. Also, previous experience with the people who manage the remote office IT has proven to be a little frustrating so if the firewall has not been configured with all the ports, I will have to wait for them to confirm that, then wait for their change control management procedures to be logged, reviewed, authorised and then enacted, and then test again.

                        I am also a little concerned about Draytek's track record with L2TP LAN to LAN VPN connections. I have seen several threads where people have complained that traffic is s-l-o-w, connections frequently drop etc.

                        Coupled with my lack of experience with this, and never even having worked with L2TP before I'm a little anxious I need a large
                        A recent poll suggests that 6 out of 7 dwarfs are not happy

                        Comment


                        • #13
                          Re: LAN to LAN VPN

                          I'm trying this now at the remote office and am having a problem.

                          The remote office router gives out addresses in the 10.208.73.xxx range via DHCP and this working fine.

                          The router at the 'remote office' can establish the L2TP LAN to LAN VPN outgoing connection to our office router - the status of the connection is shown as Online. I have used another wireless network in the building to log onto our office router and it shows the L2TP LAN to LAN VPN incoming connection as Online. Our office network uses 192.168.0.xxx

                          The problem is that my client laptop at the remote office, while it gets a 10.208.73.xxx address has local network access only. So, although the VPN tunnel has been established, I cannot get onto the Internet, nor can I access the office network.

                          When I spoke to Draytek's support via email I asked if any extra configuration was required beyond that described in the articles linked to above. The support technician said no, once the tunnel was established it should just work.

                          I have tried various settings on the routers which simply disabled the VPN tunnel so those changes have been reverted. The last thing I tried was to enable RIP Protocol Control under LAN > General Setup > Details Page > LAN 1 Ethernet TCP/IP and DHCP Setup on both routers as the user guide for the device says this will allow routers to exchange routing information but this did not work either.

                          I will speak to the people who manage the remote office IT and see if they can help but in the meantime if anyone has any suggestions I might try I'd appreciate it if you could post them.

                          Thanks
                          A recent poll suggests that 6 out of 7 dwarfs are not happy

                          Comment


                          • #14
                            Re: LAN to LAN VPN

                            May not help, but I have found that Windows sometimes has issues with VPNs unless you do a "ROUTE ADD" to tell it where to direct packets to the remote network
                            Tom Jones
                            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                            PhD, MSc, FIAP, MIITT
                            IT Trainer / Consultant
                            Ossian Ltd
                            Scotland

                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: LAN to LAN VPN

                              Thanks Ossian.

                              I've never had to use the ROUTE ADD command before so I'll give it a go.

                              How about:
                              route add 10.0.0.0 mask 255.0.0.0 192.168.0.95

                              where 10.0.0.0 is the local network and 192.168.0.95 is the address of the remote office gateway. However, the local gateway uses a subnet mask of 255.255.254.0 so will the mask parameter need to be changed to 255.255.254.0?

                              [Edit]
                              Haha - probably not. I assume that 255.0.0.0 covers all 255.xxx.xxx.xxx variations... when used in this context. My head has been fizzing over this for the last three hours so I may not be thinking straight
                              Last edited by Blood; 9th December 2014, 14:46.
                              A recent poll suggests that 6 out of 7 dwarfs are not happy

                              Comment

                              Working...
                              X