• Important! If you attempt to register and do not get an email within 5 minutes please check your spam box. This is especially true for Microsoft owned domains like Hotmail, Outlook, and Live. If these do not work please consider Gmail. Yahoo, or even AOL email which works fine.

Cheap Site to Site VPNs?

BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
Recommendations for some sort of VPN Routers that can be setup to be a site to site VPN?

I will need to make a remote office for the day where I can join some computers to our active direcotry domain- way back when they used some old Linksys routers to do this but there gone now and wondering if there was any recommendations for setting this up?

I'd buy two, wire one in to the domain on this side with direct access to the internet, and another of the same type from a remote location... I don't want to bother with our ISA server since it's only a temporary connection.
 
eysdan

eysdan

WTF?
VIP
Linksys does sell routers that can handle site to site VPNs. Cisco's ASA 5505 can be had for cheap if you want something higher end. Easy to configure. There is also a checkpoint sbox that is about the same cost as the ASA.
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
OK... so got two of the VPN routers above in, setup, and established a VPN Tunnel from the main network to an old DSL line we don't use anymore... (simulating a brach office)

However after the VPN Tunnel is connected I can't ping any machines on the other side of it but the actual endpoints of the tunnel....

In the main office say we are on 192.168.1.x and the branch is on 192.168.5.x

In the main office since internet traffic is handeled by an ISA server the DHCP abilities of the router were shut off, it was given a manually assigned local 192.168.1.x address and it's WAN connection bypassed ISA and was given an external IP 'directly' connected to the Internet.

At the branch site the DHCP was kept on and the subnet mask was made different then the main office, just in case.

I know there's some routing that needs to be setup somehwere, but I've been googling all morning and can't figure out what I need to setup where... I did my favorite method - trial and error - on the vpn routers and even the ISA server and none of that seemed to make any difference...

If the computers in the fake branch office are going to be able to join the domain at the main office they need full access as if they were locally connected... I even tried making both VPN endpoints on the same IP / subnet range but that caused an erro and then no connection at all.

Any ideas on where I begin getting this to work?
 
eysdan

eysdan

WTF?
VIP
You can't have the same networks on both sides. Change the remote end to 172.16.20.x/24 and it should work.
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
Even the first numbers can't be the same? :puzzled:

I had one setup as 192.168.1.x and one as 192.168.5.x and 2555.255.255.0 for one and .252 for the other.

But even so, I changed the remote to 172.16.20.1 and 255.255.255.224 for the subnet and got the same results.
 
S

skeptic

VIP
BirdOPrey5 said:
Even the first numbers can't be the same? :puzzled:

I had one setup as 192.168.1.x and one as 192.168.5.x and 2555.255.255.0 for one and .252 for the other.

But even so, I changed the remote to 172.16.20.1 and 255.255.255.224 for the subnet and got the same results.
Click to expand...
by 252 do you mean 255.255.252.0 or 255.255.255.252?

What is the gateway IP at each end (internal, not external/internet side)?

What do you have setup for your default gateway on a machine in a branch office?

edit: are you able to get in the internet from a branch office?
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
I mean 255.255.255.252 - it's not even something I can manually enter on this Linksys VPN router, it's a dropdown box, all of them begin with 255.255.255.

For the branch office the gateway IP is the same as the VPN router, in their case it was originally 192.168.5.1 though now it's 172.16.20.1

For the main office the gateway IP is not the same as the VPN router, it's 192.168.1.10 (our ISA server) and the VPN Router is 192.168.1.20

From the bracnh office internet is working just fine, in fact it is where I am posting this from.
 
eysdan

eysdan

WTF?
VIP
BirdOPrey5 said:
Even the first numbers can't be the same? :puzzled:

I had one setup as 192.168.1.x and one as 192.168.5.x and 2555.255.255.0 for one and .252 for the other.

But even so, I changed the remote to 172.16.20.1 and 255.255.255.224 for the subnet and got the same results.
Click to expand...
Ran into that issue at another client and changed the network which cleared up the issue. Thankfully it was a small/new warehouse.

Are you defining the interesting traffic? You should be using /24 at both locations.
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
Ahhh, yeah... set them both to 255.255.255.0 and had no help...

Just so everyone is following-

Main office now at 192.168.1.x and 255.255.255.0
Branch at 172.16.20.x and 255.255.255.0

When I tracert from a bunch computer to the enpoint at the main office it of course shows hop1 as the 172.16.20.1 and the second as 192.168.1.20 (the endpoint)...

But when I tracert to another computer, say 192.168.1.15, it stops right after 172.16.20.1 - like it doesn't know it needs to go through 192.168.1.20 to get to .15
 
eysdan

eysdan

WTF?
VIP
Do you have a route on the 192.168.1.x router that tells it where to go with that traffic?

Can you ping 172.16.20.1 from 192.168.1.1 (or whatever the IP of the router is)
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
No, that is what I'm trying to make but I must be doing something wrong...

There is a static routing section in 'adavced routing' on each Linksys...

On the branch office one and on the main office I tried these settings:

Destination IP: 192.168.1.x
Subnet Mask: 255.255.255.0
Default Gateway: tried 192.168.1.10 (ISA), 1.20 (Router Endpoint)
Hop Count: tired 1, 2, 3... didn't seem to make any difference
Interface: tried both options, LAN and WAN
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
Yes, will check it out...

In the mean time starting from scratch again I have this-

From any of the computers in the main office that I change their default gateway to the VPN router IP address, I can ping all the computers in the Branch office... and from the Branch office I can ping any of the computers in the main office that have their default gateway as the VPN router. (In the Branch office every computer has their gateway the same as the VPN router b/c it's the only gateway)

The problem is that the main office most computers arne't, and can't, have their gateway set to be the VPN router because they need to use ISA server... I'm trying to find a way, I'm guessing it's on ISA server now, that will foward requests to the VPN Router instead of externally...
 
Frank Grimes

Frank Grimes

MarkR is obsessed with me
Ultra-Premium
BirdOPrey5 said:
Yes, will check it out...

In the mean time starting from scratch again I have this-

From any of the computers in the main office that I change their default gateway to the VPN router IP address, I can ping all the computers in the Branch office... and from the Branch office I can ping any of the computers in the main office that have their default gateway as the VPN router. (In the Branch office every computer has their gateway the same as the VPN router b/c it's the only gateway)

The problem is that the main office most computers arne't, and can't, have their gateway set to be the VPN router because they need to use ISA server... I'm trying to find a way, I'm guessing it's on ISA server now, that will foward requests to the VPN Router instead of externally...
Click to expand...
You need to create a route for that traffic. I am not familiar with ISA or I would take a shot at it.
 
BirdOPrey5

BirdOPrey5

Staff member
Administrator
VIP
OK I'm halfway there...

I had to run a command on ISA 2006 (as well as add the 172 range as local on ISA)

On ISA command prompt I ran

Route add 172.16.20.0 mask 255.255.255.0 192.168.1.20 metric 1

Now I can ping all the branch computers from alll the main office computers...
:pirtate:

However, the main issue, I still can't ping the main office computers from the branch computers...

There obviously has to be the Linksys version of the reverse of that route statement... I'm looking for that now. :crossfingers:
 
You must log in or register to reply here.
Top