Vpn Blues

Archived from groups: comp.dcom.vpn (More info?)

Hi, I have an interesting problem

I have 81 routers with private subnets behind them

192.68.x.x/24


I would like them all to be able to communicate over a public network
with each other. The routers are capable of doing ipsec (but only 40
tunnels.)

They can also act as pptp and l2tp servers.


I have a windows 2000 server in the middle to be a hub.

The problem is I can not get all the networks talking to each other.
The 2k server can talk with them all and the networks can all talk
with the 2k server.

I just can not wrap my brain around around the problem enough to get
them to use the 2k server as their hub. The problem is the routers
have been hobbled somewhat by not allowing static routing to be put on
the WAN connection. Routes can only be added to the clean side.

I can use the 2k server as a router and even install extra nics, but I
just can't seem to get it all to work. I had (somehow) gotten my test
bed of 3 routers and a 2k server to talk altogether, but they stopped
suddenly without my doing anything. I can't duplicate the success.

I have tried everything I can think of. This would be so much easier
if I could just route everything through the vpn tunnels.


Is what I am trying to do possible (I thought it was even though the
routers are hobbled as they are, but now I am unsure)

thanks
dex

The routers are supposed to be able to do rip, but the 2k server never
recieves any replies. The routers are dlink 804hv's (not my choice for
this type of thing unavoidable, but I keep thinking it should work.)

Archived from groups: comp.dcom.vpn (More info?)

I do this all the time. Let me add to what Tobias said and illustrate with an example of the remote branch locations configuration:
Remote Tunnel Endpoint: 192.0.2.22 <- Public IP of W2K box
Remote Member Format... Subnet
Remote Member Address: 192.168.0.0
Remote Member Mask: 255.255.0.0
Local Member Format... Subnet
Local Member Address: 192.168.123.0
Local Member Mask: 255.255.255.0
Address Translation Enabled: No

So the subnet of the local side of the tunnel from the branch perspective is 255.255.255.0 and the remote side is 255.255.0.0. This tells the router to send anything that starts with 192.168 which is not local over to the W2K endpoint. On your W2K machine you do the opposite on all your tunnels and the traffic from one remote site to another will loop through the central hub location.

Note:
If you require more than 255 remote locations then you will probably want to switch to the 10.x.x.x group of private addresses so that you can grow to 65535 remote locations under this model.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike.newsgroup@-deletethispart-.upcraft.com)


"Tobias Crefeld" <tc-jus@onlinehome.de> wrote in message news:9AZmp5x4xVB@tc-jus.onlinehome.de...
>
> I have no idea about your environment (and actually I wouldn't sleep very
> well with an MS-machine running IPSEC through public internet) but if you
> can summarize your subnets by 192.168.0.0 /16 it might be possible to
> establish tunnels with "left side"= 192.168.x.0/24 = LAN and "right side"
> = 192.168.0.0 /16 on the remote routers. If you have some more networks on
> the W2k-side you can build some extra tunnels from the remote-side to the
> W2k-machine-
>
> Tunnels are cheap.
>
> --
> Gruss,
> Tobias.
>