Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN noob - best way to set up LANs in site-to-site environment? 2

Status
Not open for further replies.
PPettit

PPettit

IS-IT--Management
Sep 13, 2003
511
US
I have never set up VPN connections before and I'm hoping that someone can help me figure out what I need to do on the LAN side of things. I'll figure out the router configuration when the time comes.

Here's the deal: I intend to have all of my remote offices connect to my main office via site-to-site connections. Mobile users would connect via a client. I would like for members of one network to have access to resources on one or more of the other networks via the VPN connection.

Assuming that I would run into problems if each office was using a similar addressing scheme (such as 192.168.1.x), I was thinking that I would need to set up unique addressing schemes like so:
192.168.1.x Main office
192.168.2.x Remote A
192.168.3.x Remote B
192.168.4.x Mobile users
etc.

Is this even the right thing to do? Is there some other setup that makes more sense?

Also, for each device that wants to access resources on one of the other networks, it's subnet mask should be 255.255.0.0, right?
 
Sort by date Sort by votes
your addressing scheme is correct. as far as subnet mask, most will typically roll with a /24 (255.255.255.0) depending on client requirements.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
My understanding is that if a machine is set up like so:
IP address: 192.168.1.100
Subnet mask: 255.255.255.0
it will be limited to devices that are on it's own network (192.168.1.x)

I want that machine to be able to access the other networks as well as it's own. I assumed that a subnet mask of 255.255.0.0 would allow me to access access anything starting with 192.168.x.x. Is this correct or is the ability to get from one network to the other (in a setup like mine) mostly due to how the device managing the VPN connections is configured?
 
Upvote 0 Downvote
not necessarily. a /16 mask (255.255.0.0) will limit the use of the 192.168.x.x address range to a single site. if you were to address main office 192.168.1.0/16, Remote A 192.168.2.0/16, Remote B 192.168.3.0/16, and Mobile users 192.168.4.0/16 you would never be able to communicate properly. example:
1) a client in main office has an ip address of 192.168.1.110 with a SNM of 255.255.0.0 and a gateway of 192.168.1.1
2) a server in Remote A has an ip address of 192.168.2.120 with a SNM of 255.255.0.0 and a gateway of 192.168.2.1
3) if the client in main office wanted to access a web page on the server it would first issue a DNS request (assuming the entry isn't cached).
4) a DNS reply would contain the IP address of the server. the client will look at the ip address and calculate the subnet that it belongs to.
5) the client looks in its local routing table to determine where it needs to send the traffic. the client sees a routing entry for 192.168.0.0 255.255.0.0 out its ethernet interface (for example) so it assumes that the server is connected on the same broadcast domain/network segment as it is
6) the client then issues an ARP request to get the MAC address of the server. there will never be an ARP reply because the server is actually on a completely separate network segment.

now, lets take it how it is supposed to work:
1) the client has an ip address of 192.168.1.110 with a SNM of 255.255.255.0 and a gateway of 192.168.1.1
2) the server has an ip address of 192.168.2.120 with a SNM of 255.255.255.0 and a gateway of 192.168.2.1
3) the client wants to view a web page on the server so it issues a DNS request (assuming the entry isn't cached).
4) the client recieves a DNS response with an IP address of 192.168.2.120
5) the client will look int its local routing table and see that it has an entry for 192.168.1.0 255.255.255.0, miscellaneous multicast entries and loopback entries, and finally a default route of 0.0.0.0 0.0.0.0 192.168.1.1. the client can't find a specific route to 192.168.2.0 255.255.255.0 so it will want to forward the traffic to its default gateway (192.168.1.1)
6) the client sends an ARP request for the MAC address of the default gateway (if not already cached). the gateway responds
7) the client sends packets to the gateway. the gateway strips off the layer 2 header and looks at the layer 3 destination ip address. the gateway does a routing table lookup to see if it has a route to 192.168.2.0 255.255.255.0. if it does it forwards it on. if it doesn't it will send an ICMP destination network unreachable message back to the client

does this help??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
If I'm understanding everything correctly, that does appear to answer my question.

Thanks for the info.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
343
sircles
sircles
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
406
GlobeTrekkerGal
GlobeTrekkerGal
eleafpod
  • Locked
  • Question
ISO the best security camera monitoring system
Replies
2
Views
1K
Pigasque
Pigasque
teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
567
GlobeTrekkerGal
GlobeTrekkerGal

Part and Inventory Search

Sponsor

Back
Top