How can I setup a VPN between two sites 1

[niallo32]

I have a Windows Server 2003 with eight XP clients all with IP Addresses 192.168.1.x.

They are connected to a patch panel and a 12 port Switch. They get their IP addresses from a Broadband router which issues them via DHCP.

The broadband connection is a 2MB connection. All clients have internet access.

I have a second site about 600 yards away with seven clients who are all connected to a patch panel and a switch and get their IP addy's from a Broadband router - all of the client IP addys are 192.168.1.x. All clients have Internet access.

How can I setup a VPN so that the client pc's in the second site can connect to the Windows Server 2003 in the first site and that their is a dedicted VPN between the two sites?

My apologies if this has already been asked in previous posts, I tried searching before I posted this.

Thanks

 

[JOAMON]

What make and model router at each location?

 

[niallo32]

Neither site has a router as such. They are small workgroups setup in both sites temporarily. They connect to the net through the ADSL modem.

Can I simply find out a Public IP addy from the ISP, assign that to the 2nd NIC on the Server 2003, set that as the VPN Server, then setup the XP clients as VPN clients?

 

[niallo32]

I've now got a Netopia Cayman 3346 Router in each site. I have gotten two static IP addys from my ISP, and I'll configure each Router with their respective static IP addresses.

How can I get the clients in the second site to have a VPN to site one?

Thanks

 

[ROUTERKID1]

You have a couple options, we can do it with windows Server 2003 or you can buy two Link Sys routers. Please let me know and I will draw something up.

 

[niallo32]

I'll buy two Linksys Routers - the Server 2003 only has one nic and it's probably easier to use the Routers.

Your help is much appreciated!

 

[JOAMON]

Unless you subscribe to a static IP DSL service you will not be able to just get and use a public IP address. Those are assigned by your ISP. If it were me I would purchase say two Cisco 871 routers, static IP DSL service at each location, and setup a permenant ipsec site to site VPN. I noticed that both locations are using the same subnet. You will have to change one locations subnet.

 

[niallo32]

Given that both sites get their IP's & Subnets Dynamically from the ISP, how can I change the Subnet on one of the sites?

I plan on getting 2 X Linksys Routers..

Thanks

 

[ROUTERKID1]

the 192 ip address is being assigned by a DHCP server in the DSL box or the Windows Server. one of the subnets will need to be 192.168.2.X

 

[ROUTERKID1]

This FAQ may do the trick as well:


How do I set up LAN to LAN VPN with Linksys VPN routers?
faq463-4433
Posted: 14 Nov 03

The Linksys VPN routers BEFVP41 and BEFSX41 are great devices for setting up LAN to LAN VPNs quickly and easily. The VP41 allows up to 70 VPN links, the SX41, 2

In a static IP environment setting up the VPN links is straightforward. Go to the VPN tab on the router setup and follow the Linksys instructions on creating the VPN

For sites with one or both (or multiple) dynamic IP addresses, it is only slightly more complex.

Firstly go to

http://www.dyndns.org,

register there(FREE) and (preferably from the site that has a dynamic IP address) create an account name for your dynamic IP address location for example: companyname.dyndns.org. If you have multiple dynamic IP sites, register one for each of them.

At the Linksys VPN router at the dynamic IP site click on the Advanced tab and select the DDNS tab. Enter the details of your Dyndns account, click Apply and you are set to go. This gives you a Fully Qualified Domain Name which you can use for your VPN. When the IP address of the dynamic location changes, it updates dyndns and there is no (minimal?) interruption in your VPN link.

This is also useful for anything else, for example if you want to run remote desktop or terminal services or a web server.

Thereafter it is a case of creating the VPN tunnels on both routers (REMEMBER to click Apply when you have entered all the details BEFORE you click on Connect!) - at the dynamic IP site router, connect to the static IP address of the other router, at the static address site, use the Dyndns FQDN to resolve the address of the dynamic site.

A very useful tip - make sure you have strong passwords on both routers and then enable remote management. In this way you then have access to the routers from anywhere and you can work on setting up the tunnel on both routers simultaneously. While you are setting it up, you might have to get someone at the dynamic IP site to look at the router's status page to tell you what the then current IP address is, so you can get in there and set up the DDNS

NOTE: to access the router, use http:\\IP address OR FQDN:8080 this will give you your remote router's logon (Only if remote management is turned on)

 

[niallo32]

I have two static IP addresses that I've gotten from my ISP. I have two BEFSX41 Linksys Routers.

When configuring the Router, I enter the two static IP's under the Configuration section. Will I then be able to administer the Routers remotely if I type the static IP into a browser? The reason I ask is that the Routers are in a different location and it would be far easier if I could do the configuration from here.

Thanks

 

[ROUTERKID1]

if you leave the remote administration option open. lets say your ip is 66.15.5.8 you would enter

http://66.15.5.8:8080

 

[niallo32]

I have the Host PC Ethernet Adapter connected to Port 1 on the Linksys BEFSX41. The Linksys has an Ethernet cable plugged into Port 1 on the Netopia Cayman 3346 from 'Internet' Port on the Linksys Router.

I went into the config page for the Linksys Router

http://192.168.1.1

and tried both the Static IP section & the Dynamic section.

Under static, I entered in the Static IP provided by my ISP, plus the Gateway & DNS servers given by my ISP. I created a DHCP scope and entered in a local IP for the Router.

I powered Router & PC off, held reset on the router for 40 seconds, rebooted pc, but the PC cant pick up a DHCP address when set to Dynamic and when I set the pc to a manual config, it cant browse the internet or connect to any network shares.

As soon as I unplug the Linksys Router and plug the Netopia router into the pc, Internet access & Network browsing works fine.

The Netopia Router is in 'Bridge' mode.

Any ideas?

Thanks.

 

[ROUTERKID1]

http://www.linksys.com/servlet/Sate...ite=US&pagename=Linksys/Common/VisitorWrapper

Download the config guide, Where are you located ?

 

[niallo32]

I had the config guide already and followed it to the letter. The state of play at the moment is:

When I plug in the network switch into the Linksys Router and then issue IPCONFIG /release & then /renew - the Linksys issues DHCP addresses to all clients.

I can browse Network shares getting a DHCP addy from the Linksys.

I cant connect to the Internet - settings are correct as per the config guide.

Netopia router is connected from a LAN port on Netopia to the Internet port on the Linksys router.

PC Nic is connected to a LAN port on the Linksys.

Network switch is patched directly into LAN port on Linksys.

There is a File Server with an IP addy of 192.168.1.250, it's Gateway is 192.168.1.1 - which is the Local address of the Linksys - does this cause a problem?

In the 'Status' page of the Linksys configuration - it has a valid IP - 192.168.1.28, it's Gateway is 192.168.1.254, Subnet is 255.255.255.0 and the DNS Servers are ISPprovided - 213.94.190.194 & 213.94.190.236.

So basically everything is working when the Linksys is setup apart from Internet - can anyone suggest anything?

I spend six hours on the phone to support in India yesterday and I'm a broken man...

Thanks

 

[ROUTERKID1]

Check the Default Gateway on the machines,,,

 

[niallo32]

VPN on both sites is now in status 'connected' , but neither site can access the other nor ping the WAN address of the remote Linksys.

Details:

Local security Group on both sites is the internal Linksys address with a zero on the end instead of one - 192.168.1.0 etc

Remote Security Group on both sites is the internal Linksys address from the remote site - 192.168.2.0

Remote Security Gateway is the WAN address of the Linksys from the remote site

Tunnel name is the same on both sites, pre-shared key is the same and all other settings are the same

All clients on both sides are getting addresses dynamically, can connect to network shares in their own site and can connect to the net.

Any ideas why the two sites cant see one another?

Thanks

 

[kb0mjh]

i have a linksys vpn setup between my location and my two brothers networks. (three befsx41 routers)

my first troubleshooting suggestion/question is can you ping the remote vpn's ip address? "example 192.168.1.1 should be able to ping 192.168.2.1 when the tunnel is connected.

if you can ping the remote vpn router, but can't ping remote host's check to see if you have any firewalls running on the remote hosts. my guess is that the firewall is blocking the icmp requests from the remote end. hope this helps.

 

[kb0mjh]

just for clarification, you do have each remote network on a seperate ip subnet right?

example vpn "a" = 192.168.1.1
vpn "b" = 192.168.2.1 vpn "c" = 192.168.3.1

each network must be on a seperate subnet to allow browsing across the vpn. then on each network the local security group should be your local subnet(192.168.1.1) and on the remote side is should be the remote subnet(192.168.2.1)

if both your networks are on the same subnet it won't allow your to distinguish between local and remote networks.

 

[niallo32]

Got it working, thanks everyone for the help