Sign in with
Sign up | Sign in
Your question

Advice needed! implementing 3 office vpn

Tags:
  • VPN
  • Routers
  • Office
  • Networking
Last response: in Networking
Share
Anonymous
November 7, 2004 8:43:46 PM

Archived from groups: comp.dcom.vpn (More info?)

I need some advice on a vpn setup we're thinking of implementing.
My questions are at the bottom of this post.

Here's the scenario:
We have 3 offices and 2 remote users that need access to the 3 offices.
The 3 offices need to be connected on a seemless vpn with at least one
of the office's routers set up to facilitate remote users. Each of the
offices are currently connected to the Internet using business
(highspeed) dsl lines. The routers need to handle all the vpning
between offices so it appears that the 3 offices are just one seemless
LAN. (we're going to be mapping drives between offices) When a remote
user connects to any of the three offices they will have get assigned an
ip in that office's range. (example: If Office A has an ip range of
192.168.0.2-192.168.0.49, it will assign the remote user an available ip
in that range or possibly an ip from a small portion of that range
reserved for only remot users. After the remote user has connected he
will be able to access the 3 office vpn'd "lan".

Here's my idea for implementing this...

Replace the current routers at each office location with a Netgear
FVS318 or comparable. (http://www.netgear.com/products/details/FVS318.php)

Setup the router at Office A to have an internal IP of 192.168.0.1
Setup machines at Office A to have ips in the range of
192.168.0.2-192.168.0.49 and the Internet gateway set as 192.168.0.1

Setup the router at Office B to have an internal IP of 192.168.0.51
Setup the machines at Office B to have ips in the range of
192.168.0.52-192.168.0.99 and an Internet gateway address of 192.168.0.51

Setup the router at Office C to have an internal IP of 192.168.0.101
Setup the machines at Office C to have ips in the range of
192.168.0.102-192.168.0.149 and an Internet gateway address of 192.168.0.101

Summary:
Office A
Router IP:192.168.0.1
Machine's Ips: 192.168.0.2-192.168.0.49

Office B
Router IP:192.168.0.51
Machine's Ips: 192.168.0.52-192.168.0.99

Office C
Router IP:192.168.0.101
Machine's Ips: 192.168.0.102-192.168.0.149

Now for connecting them.

There are 2 way's to do this. Office B and C can connect to A. The only
problem I see with this is that files getting transfered between Office
B and C would get routed through A.
Would it work for each router to connect to the other 2? example:
Router A creates tunnels to B and C. Router B creates tunnels to A and
C. Router C creates tunnels to A and C.
If this setup is possible it has the advantage of being relatively "fail
safe" -if Office A's connection goes down, Offices B and C can still be
connected.
The remote users will be running Netgear's vpn client software and
connecting to office A----the remote users part is not important right
now, it can be worked out later.

Ok. Congrats on reading this far! =) Here's my question: Do you see any
potential problems with this setup? Can the Netgear Fvs318 routers do
this? Any comments or tips would be GREATLY appreciated.

Thanks for reading!

-RedRyder

More about : advice needed implementing office vpn

November 8, 2004 1:51:53 PM

Archived from groups: comp.dcom.vpn (More info?)

RedRyder,

Thanks for the detailed descrition of the scenario. It has really
helped me understand are things are supposed to work. I sure hope
somebody responds. If not, try the newsgroups at www.dslreports.com

Now for an extension of the scenario....

Assume somebody is in a hotel room that gets an IP address via DHCP on
the hotel network. The notebook has Netgear VPN01L VPN client software
on it. Could this VPN client software be configured to establish the
VPN connection independent of the IP address given by DHCP?

thanks!!

RedRyder <redryder@null> wrote in message news:<10otcpkk1mtqc03@corp.supernews.com>...
> I need some advice on a vpn setup we're thinking of implementing.
> My questions are at the bottom of this post.
>
> Here's the scenario:
> We have 3 offices and 2 remote users that need access to the 3 offices.
> The 3 offices need to be connected on a seemless vpn with at least one
> of the office's routers set up to facilitate remote users. Each of the
> offices are currently connected to the Internet using business
> (highspeed) dsl lines. The routers need to handle all the vpning
> between offices so it appears that the 3 offices are just one seemless
> LAN. (we're going to be mapping drives between offices) When a remote
> user connects to any of the three offices they will have get assigned an
> ip in that office's range. (example: If Office A has an ip range of
> 192.168.0.2-192.168.0.49, it will assign the remote user an available ip
> in that range or possibly an ip from a small portion of that range
> reserved for only remot users. After the remote user has connected he
> will be able to access the 3 office vpn'd "lan".
>
> Here's my idea for implementing this...
>
> Replace the current routers at each office location with a Netgear
> FVS318 or comparable. (http://www.netgear.com/products/details/FVS318.php)
>
> Setup the router at Office A to have an internal IP of 192.168.0.1
> Setup machines at Office A to have ips in the range of
> 192.168.0.2-192.168.0.49 and the Internet gateway set as 192.168.0.1
>
> Setup the router at Office B to have an internal IP of 192.168.0.51
> Setup the machines at Office B to have ips in the range of
> 192.168.0.52-192.168.0.99 and an Internet gateway address of 192.168.0.51
>
> Setup the router at Office C to have an internal IP of 192.168.0.101
> Setup the machines at Office C to have ips in the range of
> 192.168.0.102-192.168.0.149 and an Internet gateway address of 192.168.0.101
>
> Summary:
> Office A
> Router IP:192.168.0.1
> Machine's Ips: 192.168.0.2-192.168.0.49
>
> Office B
> Router IP:192.168.0.51
> Machine's Ips: 192.168.0.52-192.168.0.99
>
> Office C
> Router IP:192.168.0.101
> Machine's Ips: 192.168.0.102-192.168.0.149
>
> Now for connecting them.
>
> There are 2 way's to do this. Office B and C can connect to A. The only
> problem I see with this is that files getting transfered between Office
> B and C would get routed through A.
> Would it work for each router to connect to the other 2? example:
> Router A creates tunnels to B and C. Router B creates tunnels to A and
> C. Router C creates tunnels to A and C.
> If this setup is possible it has the advantage of being relatively "fail
> safe" -if Office A's connection goes down, Offices B and C can still be
> connected.
> The remote users will be running Netgear's vpn client software and
> connecting to office A----the remote users part is not important right
> now, it can be worked out later.
>
> Ok. Congrats on reading this far! =) Here's my question: Do you see any
> potential problems with this setup? Can the Netgear Fvs318 routers do
> this? Any comments or tips would be GREATLY appreciated.
>
> Thanks for reading!
>
> -RedRyder
Anonymous
November 8, 2004 5:21:12 PM

Archived from groups: comp.dcom.vpn (More info?)

Picard: I was asking for advice on whether the Netgear vpn routers could
provide a vpn like the one mentioned in the scenario. I've seen a
similar setup before but they where using high dollar cisco vpn routers. ;) 

Quick answer to your question: yes
Detailed answer:
Lets assume the hotel is assigning ip addresses behind a NAT (network
address translation) router as opposed to assigning public ips. (every
hotel i've been to that provides internet access just uses a common NAT
router)
Because of the way Ipsec excrypted vpns do integrity checks on the
packets this can cause problems.
They have developed a technology called "Nat traversal" that allows a
client to connect to a vpn gateway/router when they are behind a Nat
router. Here's a link if you would like to read more on the topic.

http://www.infoworld.com/articles/ne/xml/02/02/18/02021...

-RedRyder

picard wrote:
> RedRyder,
>
> Thanks for the detailed descrition of the scenario. It has really
> helped me understand are things are supposed to work. I sure hope
> somebody responds. If not, try the newsgroups at www.dslreports.com
>
> Now for an extension of the scenario....
>
> Assume somebody is in a hotel room that gets an IP address via DHCP on
> the hotel network. The notebook has Netgear VPN01L VPN client software
> on it. Could this VPN client software be configured to establish the
> VPN connection independent of the IP address given by DHCP?
>
> thanks!!
>
> RedRyder <redryder@null> wrote in message news:<10otcpkk1mtqc03@corp.supernews.com>...
>
>>I need some advice on a vpn setup we're thinking of implementing.
>>My questions are at the bottom of this post.
>>
>>Here's the scenario:
>>We have 3 offices and 2 remote users that need access to the 3 offices.
>>The 3 offices need to be connected on a seemless vpn with at least one
>>of the office's routers set up to facilitate remote users. Each of the
>>offices are currently connected to the Internet using business
>>(highspeed) dsl lines. The routers need to handle all the vpning
>>between offices so it appears that the 3 offices are just one seemless
>>LAN. (we're going to be mapping drives between offices) When a remote
>>user connects to any of the three offices they will have get assigned an
>>ip in that office's range. (example: If Office A has an ip range of
>>192.168.0.2-192.168.0.49, it will assign the remote user an available ip
>>in that range or possibly an ip from a small portion of that range
>>reserved for only remot users. After the remote user has connected he
>>will be able to access the 3 office vpn'd "lan".
>>
>>Here's my idea for implementing this...
>>
>>Replace the current routers at each office location with a Netgear
>>FVS318 or comparable. (http://www.netgear.com/products/details/FVS318.php)
>>
>>Setup the router at Office A to have an internal IP of 192.168.0.1
>>Setup machines at Office A to have ips in the range of
>>192.168.0.2-192.168.0.49 and the Internet gateway set as 192.168.0.1
>>
>>Setup the router at Office B to have an internal IP of 192.168.0.51
>>Setup the machines at Office B to have ips in the range of
>>192.168.0.52-192.168.0.99 and an Internet gateway address of 192.168.0.51
>>
>>Setup the router at Office C to have an internal IP of 192.168.0.101
>>Setup the machines at Office C to have ips in the range of
>>192.168.0.102-192.168.0.149 and an Internet gateway address of 192.168.0.101
>>
>>Summary:
>>Office A
>>Router IP:192.168.0.1
>>Machine's Ips: 192.168.0.2-192.168.0.49
>>
>>Office B
>>Router IP:192.168.0.51
>>Machine's Ips: 192.168.0.52-192.168.0.99
>>
>>Office C
>>Router IP:192.168.0.101
>>Machine's Ips: 192.168.0.102-192.168.0.149
>>
>>Now for connecting them.
>>
>>There are 2 way's to do this. Office B and C can connect to A. The only
>>problem I see with this is that files getting transfered between Office
>>B and C would get routed through A.
>>Would it work for each router to connect to the other 2? example:
>>Router A creates tunnels to B and C. Router B creates tunnels to A and
>>C. Router C creates tunnels to A and C.
>>If this setup is possible it has the advantage of being relatively "fail
>>safe" -if Office A's connection goes down, Offices B and C can still be
>>connected.
>>The remote users will be running Netgear's vpn client software and
>>connecting to office A----the remote users part is not important right
>>now, it can be worked out later.
>>
>>Ok. Congrats on reading this far! =) Here's my question: Do you see any
>> potential problems with this setup? Can the Netgear Fvs318 routers do
>>this? Any comments or tips would be GREATLY appreciated.
>>
>>Thanks for reading!
>>
>>-RedRyder
Related resources
Anonymous
November 9, 2004 2:05:11 AM

Archived from groups: comp.dcom.vpn (More info?)

RedRyder wrote:
> I need some advice on a vpn setup we're thinking of implementing.
> My questions are at the bottom of this post.
>
> Here's the scenario:
> We have 3 offices and 2 remote users that need access to the 3 offices.
> The 3 offices need to be connected on a seemless vpn with at least one
> of the office's routers set up to facilitate remote users. Each of the
> offices are currently connected to the Internet using business
> (highspeed) dsl lines. The routers need to handle all the vpning
> between offices so it appears that the 3 offices are just one seemless
> LAN. (we're going to be mapping drives between offices) When a remote
> user connects to any of the three offices they will have get assigned an
> ip in that office's range. (example: If Office A has an ip range of
> 192.168.0.2-192.168.0.49, it will assign the remote user an available ip
> in that range or possibly an ip from a small portion of that range
> reserved for only remot users. After the remote user has connected he
> will be able to access the 3 office vpn'd "lan".
>
> Here's my idea for implementing this...
>
> Replace the current routers at each office location with a Netgear
> FVS318 or comparable. (http://www.netgear.com/products/details/FVS318.php)
>
> Setup the router at Office A to have an internal IP of 192.168.0.1
> Setup machines at Office A to have ips in the range of
> 192.168.0.2-192.168.0.49 and the Internet gateway set as 192.168.0.1
>
> Setup the router at Office B to have an internal IP of 192.168.0.51
> Setup the machines at Office B to have ips in the range of
> 192.168.0.52-192.168.0.99 and an Internet gateway address of 192.168.0.51
>
> Setup the router at Office C to have an internal IP of 192.168.0.101
> Setup the machines at Office C to have ips in the range of
> 192.168.0.102-192.168.0.149 and an Internet gateway address of
> 192.168.0.101
>
> Summary:
> Office A
> Router IP:192.168.0.1
> Machine's Ips: 192.168.0.2-192.168.0.49
>
> Office B
> Router IP:192.168.0.51
> Machine's Ips: 192.168.0.52-192.168.0.99
>
> Office C
> Router IP:192.168.0.101
> Machine's Ips: 192.168.0.102-192.168.0.149
>
> Now for connecting them.
>
> There are 2 way's to do this. Office B and C can connect to A. The only
> problem I see with this is that files getting transfered between Office
> B and C would get routed through A.
> Would it work for each router to connect to the other 2? example:
> Router A creates tunnels to B and C. Router B creates tunnels to A and
> C. Router C creates tunnels to A and C.
> If this setup is possible it has the advantage of being relatively "fail
> safe" -if Office A's connection goes down, Offices B and C can still be
> connected.
> The remote users will be running Netgear's vpn client software and
> connecting to office A----the remote users part is not important right
> now, it can be worked out later.
>
> Ok. Congrats on reading this far! =) Here's my question: Do you see any
> potential problems with this setup? Can the Netgear Fvs318 routers do
> this? Any comments or tips would be GREATLY appreciated.
>
> Thanks for reading!
>
> -RedRyder

Potential problem:
Try to avoid using 192.168.0.x or 192.168.1.x subnets. Many home office
routers will use these ranges by default causing a collision with the
network at work. You will then have to instruct your employees to
renumber their home network. Better to just pick something that most
home routers will not use out of the box like something in the 10.x.x.x
area. Also it might be easier for you to just use a different class C
subnet for each office. This isn't required but it doesn't really make
much sense to limit yourself to a partial class C when you are using
private IP addresses.

With only 3 routers you can create a meshed network easily. In the
future you may decide to go with a hub and spoke topology but for only 3
I would just create separate tunnels between all the sites.

I have never used any netgear products for VPN personally. They seem
like a cheap solution though. Personally I use Netopia 3386-ENT's. Not
a popular brand but the routers are cheap and have many features. One
thing I like about them is that they have PPTP support. It means I can
allow remote users to connect with the VPN client that has been built
into windows since Windows 98. PPTP is not considered as secure as
IPSEC but it's good enough for most people.

Direct file sharing over a DSL link can be slow, good enough for opening
small to medium sized documents. Not fast enough for anything but light
online database use. Many of my clients will use a Terminal Server
solution for VPN users to overcome speed issues.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
November 9, 2004 5:02:32 PM

Archived from groups: comp.dcom.vpn (More info?)

Mike Drechsler - SPAM PROTECTED EMAIL wrote:
> RedRyder wrote:
>
>> I need some advice on a vpn setup we're thinking of implementing.
>> My questions are at the bottom of this post.
>>
>> Here's the scenario:
>> We have 3 offices and 2 remote users that need access to the 3
>> offices. The 3 offices need to be connected on a seemless vpn with at
>> least one of the office's routers set up to facilitate remote users.
>> Each of the offices are currently connected to the Internet using
>> business (highspeed) dsl lines. The routers need to handle all the
>> vpning between offices so it appears that the 3 offices are just one
>> seemless LAN. (we're going to be mapping drives between offices) When
>> a remote user connects to any of the three offices they will have get
>> assigned an ip in that office's range. (example: If Office A has an ip
>> range of 192.168.0.2-192.168.0.49, it will assign the remote user an
>> available ip in that range or possibly an ip from a small portion of
>> that range reserved for only remot users. After the remote user has
>> connected he will be able to access the 3 office vpn'd "lan".
>>
>> Here's my idea for implementing this...
>>
>> Replace the current routers at each office location with a Netgear
>> FVS318 or comparable.
>> (http://www.netgear.com/products/details/FVS318.php)
>>
>> Setup the router at Office A to have an internal IP of 192.168.0.1
>> Setup machines at Office A to have ips in the range of
>> 192.168.0.2-192.168.0.49 and the Internet gateway set as 192.168.0.1
>>
>> Setup the router at Office B to have an internal IP of 192.168.0.51
>> Setup the machines at Office B to have ips in the range of
>> 192.168.0.52-192.168.0.99 and an Internet gateway address of 192.168.0.51
>>
>> Setup the router at Office C to have an internal IP of 192.168.0.101
>> Setup the machines at Office C to have ips in the range of
>> 192.168.0.102-192.168.0.149 and an Internet gateway address of
>> 192.168.0.101
>>
>> Summary:
>> Office A
>> Router IP:192.168.0.1
>> Machine's Ips: 192.168.0.2-192.168.0.49
>>
>> Office B
>> Router IP:192.168.0.51
>> Machine's Ips: 192.168.0.52-192.168.0.99
>>
>> Office C
>> Router IP:192.168.0.101
>> Machine's Ips: 192.168.0.102-192.168.0.149
>>
>> Now for connecting them.
>>
>> There are 2 way's to do this. Office B and C can connect to A. The
>> only problem I see with this is that files getting transfered between
>> Office B and C would get routed through A.
>> Would it work for each router to connect to the other 2? example:
>> Router A creates tunnels to B and C. Router B creates tunnels to A
>> and C. Router C creates tunnels to A and C.
>> If this setup is possible it has the advantage of being relatively
>> "fail safe" -if Office A's connection goes down, Offices B and C can
>> still be connected.
>> The remote users will be running Netgear's vpn client software and
>> connecting to office A----the remote users part is not important right
>> now, it can be worked out later.
>>
>> Ok. Congrats on reading this far! =) Here's my question: Do you see
>> any potential problems with this setup? Can the Netgear Fvs318
>> routers do this? Any comments or tips would be GREATLY appreciated.
>>
>> Thanks for reading!
>>
>> -RedRyder
>
>
> Potential problem:
> Try to avoid using 192.168.0.x or 192.168.1.x subnets. Many home office
> routers will use these ranges by default causing a collision with the
> network at work. You will then have to instruct your employees to
> renumber their home network. Better to just pick something that most
> home routers will not use out of the box like something in the 10.x.x.x
> area. Also it might be easier for you to just use a different class C
> subnet for each office. This isn't required but it doesn't really make
> much sense to limit yourself to a partial class C when you are using
> private IP addresses.
>
> With only 3 routers you can create a meshed network easily. In the
> future you may decide to go with a hub and spoke topology but for only 3
> I would just create separate tunnels between all the sites.
>
> I have never used any netgear products for VPN personally. They seem
> like a cheap solution though. Personally I use Netopia 3386-ENT's. Not
> a popular brand but the routers are cheap and have many features. One
> thing I like about them is that they have PPTP support. It means I can
> allow remote users to connect with the VPN client that has been built
> into windows since Windows 98. PPTP is not considered as secure as
> IPSEC but it's good enough for most people.
>
> Direct file sharing over a DSL link can be slow, good enough for opening
> small to medium sized documents. Not fast enough for anything but light
> online database use. Many of my clients will use a Terminal Server
> solution for VPN users to overcome speed issues.

First off, thank you very much for the detailed reply! =)

It never occurred to me that having the same ip ranges for the office
vpn and home lan would cause conflicts.
Taking your advice, I will setup the offices to use 10.10.x.x with a
subnet mask of 255.255.0.0. Each office will then get it's own Class C
For example, Office A will be 10.10.1.x, Office B 10.10.2.x and Office C
will be 10.10.3.x. Not sure what I will assign remote users. Maybe a
small chunk of the class C at the office's router they connect to?

Does that setup sound ok to you?

How many sites do you think we can go to before setting up a central
one? The netopia router said it will handle 15 vpn
I just looked up that Netopia router you mentioned. It looks pretty
nice. I like that they haven't "dumbed" the interface down for less
savvy users. The netgear routers tend to be over simplified and not
give enough features. On the spec sheet for the 3300-Ent serias it says
"Up to 15 PPTP or IPSec VPN security associations" I'm assuming that
means up to 15 simultaneous tunnels?

If we have 3 sites that means 2 tunnels will be used on each router for
talking to the other 2 routers. This brings up the question..which
router should initiate the connnection? Should router A connect to B and
C? or should B and C initiate the tunnels to A?
Should I just have every router attempt to make an outgoing tunnel to
every other router. Many times this will probabaly result in 2 tunnels
between routers (one outgoing and one incoming) but that should be fine.

The PPTP support is DEFINETELY a plus. As it is now, we were counting
on having to buy and install a copy of the netgear Ipsec client on all
the remote machines.

Another question,
Do you know if the Netopia routers support dynamic dns services? This
is very important as one of these offices is running on a residential
dsl line who's ip changes frequently.
!