Announcement

Collapse
No announcement yet.

2 sites VPN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2 sites VPN

    Ok, i've gone and gotten myself confused all over again!

    After my initial hiccup's setting up my Domain over 2 locations, all now seems to be well. location 1 has DC01 and a RAS. Location 2 has DC02, which is also a RAS. I've basically been trying to set the 2 locations up so that anyone from either location can logon at either location. What I've done now tho is completely confused myself as to the best way to do this.

    Currently, and I know this isnt the way to do it, I have DC02 VPN'ing into the network at location 1. This is all well and good for replication and TX'ing files from DC01 to DC02 etc., but no other PC can see the network on the other side of the VPN, obviously. Both sites running high speed broadband and traffic isnt an issue.

    Can someone advise me the best way to connect these 2 locations up? I would ideally need IP suggestions as well, as I want to get this 100% right now. Currently site 1 is 192.168.174.x and site 2 is 192.168.176.x. I also assume that really these need the same IP?

    I'm guessing that I need to create a VPN or something between the 2 routers, but one of them is old(ish) and doesnt support that. If needs be I can go get another one, but want to be sure that this is the correct solution first.

    Cheers.
    James.
    James
    MCP

  • #2
    Re: 2 sites VPN

    you should setup a site to site vpn.
    It depends on you're firewalls.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: 2 sites VPN

      yes, site to site VPN is the way to do it.

      I believe RAS may be able to do it on the software level, but I would advise against that. Post what firewalls you use and maybe we can help you further.

      I have done it with Cisco as well as with Global Technology Associates equipment.

      Comment


      • #4
        Re: 2 sites VPN

        Just to throw in more info... this might get you started if you own cisco gear or can purchase it:

        http://www.cisco.com/en/US/netsol/ns...tion_home.html

        also , the IP's are fine.

        Each physical location should be on a different subnet, which yours are. KEEP THAT AS IS !

        it should be as follows:

        LAN loc1 -> firewall loc1 -> router -> === internet cloud === <- router <-firewall loc2 <- LAN loc2

        within your firewalls you will establish a link from one place to the other and vice versa, using appropriate VPN encryption, what happens then is that your firewalls will wrap any packets intended for the other location into a packet with destination of firewall2 which is then able to unwrap it and deliver it to LAN2 and of course this works both ways, but all the work is done by your VPN appliance (usually a firewall).

        lets assume loc1 = .174.xxx subnet
        loc2 = .176.xxx subnet

        so if you are on the .174 subnet and your attempt to access PC in .176 subnet, your firewall will know that anything going to .176.xxx is supposed to go out on the WAN/VPN link with its destination being the public IP of loc2 firewall. That firewall will get the packet and since it has all the encryption keys and whatnot to decipher it it will unwrap it and deliver to your switch behind with proper destination of some PC on .176.xxx

        Now if you are in loc1 and you go to www.google.com then the firewall knows the destination isn't your loc2 subnet and just lets it go out as normal without doing any VPN work to it.

        it's sort of simplified, but basically you are looking at buying 2 new hardware appliances if you want to do it right.

        Comment


        • #5
          Re: 2 sites VPN

          Originally posted by ZrOuT View Post
          it's sort of simplified, but basically you are looking at buying 2 new hardware appliances if you want to do it right.
          Although it depends on their current firewalls (i assume they have)
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: 2 sites VPN

            excellent, cheers for that guys!

            for reference, I currently have 2 Netgear firewall/Routers. 1 can do VPN, the cannot as it is quite old.
            James
            MCP

            Comment


            • #7
              Re: 2 sites VPN

              hmm i should recommend to upgrade. If it can't support vpn, then he is very old
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: 2 sites VPN

                Originally posted by ZrOuT View Post
                also , the IP's are fine.

                Each physical location should be on a different subnet, which yours are. KEEP THAT AS IS !

                it should be as follows:

                LAN loc1 -> firewall loc1 -> router -> === internet cloud === <- router <-firewall loc2 <- LAN loc2

                within your firewalls you will establish a link from one place to the other and vice versa, using appropriate VPN encryption, what happens then is that your firewalls will wrap any packets intended for the other location into a packet with destination of firewall2 which is then able to unwrap it and deliver it to LAN2 and of course this works both ways, but all the work is done by your VPN appliance (usually a firewall).

                lets assume loc1 = .174.xxx subnet
                loc2 = .176.xxx subnet

                so if you are on the .174 subnet and your attempt to access PC in .176 subnet, your firewall will know that anything going to .176.xxx is supposed to go out on the WAN/VPN link with its destination being the public IP of loc2 firewall. That firewall will get the packet and since it has all the encryption keys and whatnot to decipher it it will unwrap it and deliver to your switch behind with proper destination of some PC on .176.xxx

                Now if you are in loc1 and you go to www.google.com then the firewall knows the destination isn't your loc2 subnet and just lets it go out as normal without doing any VPN work to it.

                it's sort of simplified, but basically you are looking at buying 2 new hardware appliances if you want to do it right.

                Ok, I know itīs been a long time this topic started and ended, but Iīm quoting exactly what I already have and accomplished. I mean I have 2 domains with different subnets, and names, connected with a site-to-site vpn. If I restart any of both servers they automatically connect to each other. I have ISA 2004 and win 2003 server on both doamins. My only problem itīs the following:

                I can ping using IP numbers from server1 to server 2 and vice-versa

                ping 192.168.0.5 -t from subnet 192.168.1.0 -----) OK
                ping 192.168.1.7 -t from subnet 192.168.0.0 -----) OK

                but I CANīT ping using computer names from any of the servers.

                ping computer3 -t from any subnet to another subnet ------) I CANīT

                Besides, I CANīT see the remote network on "my network neighborhood".

                What am I doing wrong? Is there something Iīm missing?, Please help me.

                Comment

                Working...
                X