VPN setup I can ping...now what?

[KThug]

I have just set up a VPN connection between two Netscreen firewalls followin the Lan-Lan configuration. I can ping inside each of the trusted areas. So now what, how can I add client machines to the domain that come thru the VPN? Do I need a domain contoller in the remote area? How would I set up the clients to see the exchange server? Lots a questions,

thanks

 

[tippmann]

I am in the process of doing the same thing and have not yet gotten as far as you but, here is what I was planning.

I am guessing you are using Active Directory...?

First try pointing the remote computers at your DNS. I have gotten that to work in the pass. I am planning on running a DNS server on both sides of the VPN without the BDC on the remote side. I have been told that works pretty well.

Hope this helps

 

[dholbrook]

Feather in your cap for getting this piece to work. Now the fun really begins! With the link set up properly, the users should be able to see the Exchange server. How big is this user base? Can you do it all (both ends) with one class C range of addresses (split up for each end of course)?

There are many issues to be resolved, but having a DC with DNS at both ends is a good idea from a performance standpoint. Becareful about how often you make the DC's sync, as it can create a lot of bandwidth use over the link. This is probably not an issue over a high speed link like DSl or T-1, but is a problem with a dial up link.

You have not said anything about the use of DHCP or if the address ranges at both end are in the same ranges, but this is a major issues to resolve.

Are the LANs on the user sides using the same IP range, and if so, how are you planning to prevent duplicate IP assignment, especially if DHCP is being used? Do you have users physically moving back and forth between the two ends?If the ends are different IP ranges, then you need to set ranges correctly to avoid comflict. I would suggest setting the DNS servers at each end to look first to themselves, and next to the DNS server at the other end, then to an external DNS source if external access is also used, since most traffic will be end to end, not end to external

Good luck, and have fun.

DAvid

 

[Seaspray0]

Your vpn should be receiving dhcp options, as well as an ip address, from your vpn server, including the address to your dns. The dns holds the key to contacting your servers through the service records held there. I would verify you can not only ping by ip address but ping by the fully qualified domain name of your server... i.e. ping server1.domain.com.

Your client should be getting the service records from your dns when you join it to the domain. The only glitch I can see is the reboot required after it joins. Windows 2000 does give you the option of logging on by dialing up (advanced option, check box). You should be able to select your vpn as the connection and log onto the domain this way. I've not tried it, but its something you can try.

 

[KThug]

thanks for the quick responses. the remote network is a 10.1.3.0/24 network and the corporate lan is of the 172.16.0.0/16 variety. Anyway, there will only be 5-10 remote users in this Lan to Lan (lan-lan) vpn. And the vpn appiance is also serving as a dhcp server. I did not have any plans to put a DC or a DNS server at the remote site. I have been told that I would need to setup DNS entries to 1st point to a DNS server on my corporate lan then use the DNS entries of the ISP where the remote vpn appliance is at. Is this true? Plus, what is the procedure for adding machines to the Domain from the remote site? I am missing a piece of the puzzle I think.

 

[KThug]

I am not using microsoft vpn server. Should I? So far, the setup is just using the vpn appliances and i can ping the two separate networks from each other. I am just trying to figure out how to make this remote site act like the rest of the network and route accordingly.

 

[dholbrook]

What do you need to do over this VPN link? As I understand from your description, you have two VPN boxes that either connect to the Internet or to a dedicated line of some kind. It appears these VPN boxes are also providing DHCP to each end??

Are these VPN boxes also the gateways for your two networks to the Internet? Does each end have its own Internet access route, different from these VPN boxes, or are you intending to provide the remote users Internet access via the Corporate end? Note, that being able to ping these two VPN boxes from each other does not imply that a VPN link is established, only that the two boxes can see each other across the link (assuming they have fixed, real Internet addresses, and can also see a DNS server on the Internet somewhere). Now being able to browse on the other end network is a different story and that implies the link is up!

Do you need all your remote users to be able to see and browse the corporate end (and maybe the reverse?), or do the remote users just need to find some specific servers at the Corporate end?

You could provide an LMHOSTs file to the remote users with the Corporate end points, if they are fixed IP addresses, other wise you need to set up the DNS at the remote end, or at least a DNS relay server at that end, so the remote users will be able to access the Corporate DNS to resolve the current addresses of the destination they need to get to.

David

 

[KThug]

david, thanks for posting.

our corporate lan has an active directory structure with exchange, dns, dcs, fileservers, web servers. The vpn is to be used to allow users from halfway across the country to access the network. This will be a permanent fix for that work group. My main focus here is to find out what else i need out at the remote site to have it all work transparently to the user.

 

[Seaspray0]

"So far, the setup is just using the vpn appliances"

So I'm assuming you are using two routers connected to the internet (possibly through a cable modem or something) and you can ping the public ip of each from the other location.

"I have just set up a VPN connection between two Netscreen firewalls followin the Lan-Lan configuration"

You have created the VPN tunnel between the two, correct? A tunnel between the routers really simplifies joining the clients to the domain.

"I can ping inside each of the trusted areas."

Sounds good so far. I take it you can ping a computer at corporate from the remote location. Now for a few questions.... Is the vpn appliance handling the dhcp for your remote area that contains your 5 workstations? If yes, is it also handing out the options like default gateway, dns server (can it hand out more than one dns server address?), wins server addresses? If the hardware isn't capable, you can enter this information statically on the clients.

"the remote network is a 10.1.3.0/24 network and the corporate lan is of the 172.16.0.0/16 variety"

Being on seperate subnets is acceptable but some routing is involved here. You'll need to use a routing protocol on the routers or manually add static routes to your router hardware at both ends. The default gateway given to your computers should be the private address of your router and it will know how to forward them through the routes you add through the vpn. This way each subnet will know how to contact the other. I assume you've already done this because you said you can contact the other private network. If you can ping a computer (i.e. your server) from the remote location and get a response, then you are doing well here.

How about pinging by the fully qualified domain name of your server from the remote client? Type ipconfig /all on one of your clients to see what type of tcp/ip information it holds. One of the dns's should be your private dns server at corporate.

If you can get ahold of the dns server at corporate, then you are really in great shape. Join your clients to the domain. On reboot, log onto the network. Your vpn should handle joining your two networks together with no problems.

 

[KThug]

ok...looks like i got it all figured out. I can ping internal machines on both sides. I was able to join a client machine to the domain this morning so i feel pretty good about that. Thanks for all the replies. One thing i would like to point out for those who are going this route. Make sure that the first DNS server in the list on the remote clients is the one inside your corporate lan. Also, make sure that you have all your corporate routes correct. We have a VLAN here that was routing the return packets out a different route rather than back to the firewall. I based this on the fact that I could ping the remote clients just fine but could not ping the corporate internal clients. I took a workstation at corporate and reconfigured the gateway to point at the firewall instead of the VLAN router, suddenly it worked. I had to make the same change to a DNS server to be able to ping the corporate lan by fully qualified name. I still have some work to do with the routing table of the VLAN router, but at least I got the VPN up and running. Thanks for all the replies.