Need to configure VPN correctly for Domain and DNS

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

In short, I have a remote site where I want all my clients to attach to the
Domain just like the local clients.
The remote site connects to our main site "Server1" via hardware VPN
configured with IPSec. I know the IPSec is setup correctly it's the rest of
it that I'm not sure about. I'm hoping someone can walk me through this or
help out. This is the layout.

Remote Site
Hardware - Comcast Router/Modem > Cyberguard SnapGear SG530 > Dell Switch >
XP Clients
Connection - Cable

Local site
Hardware - T1 > Kentrox Router > Cyberguard SnapGear SME570 > Dell Switch >
XP Clients and Server 2003.

Server is the DC / DNS / DHCP server. The IP is set to 192.168.1.10

The remote VPN has the following settings (this is where I get confused).
Internet Port
IP - 10.1.5.2 (this is the local IP of the cable router)
GW - 10.1.5.1
DNS - 192.168.10 (Here I have the IP address of Server1, should I have this
set to the DNS addresses of the ISP?)

LAN Port
IP - 192.168.5.1
DNS - 192.168.1.10 (This always changes to match the DNS of the Internet Port)

I also have the DNS Proxy on the VPN set to yes. This being said, what
address should my clients point to when I configure their IP settings? The
VPN? What address on the VPN? The Gateway? The LAN IP? or should they point
to the DNS server?
Are the Network settings correct for this VPN? If not what should I change?

I also have DHCP enabled on the VPN. The Gateway address is set to
192.168.5.1 (The Internet Gateway address) with the Subnet of
192.168.5.0/255.255.255.0. This has been working for me.

Is there anything else I should check on the VPN?
 
DAiuto said:
In short, I have a remote site where I want all my clients to attach to the
Domain just like the local clients.
The remote site connects to our main site "Server1" via hardware VPN
configured with IPSec. I know the IPSec is setup correctly it's the rest of
Click to expand...

How do you know that the IPSec is set up correctly? Do the logs / status
pages of both routers show both phase1 and phase2 negotiations have
successfully completed, and the tunnel up and running?
it that I'm not sure about. I'm hoping someone can walk me through this or
help out. This is the layout.

Remote Site
Hardware - Comcast Router/Modem > Cyberguard SnapGear SG530 > Dell Switch >
XP Clients
Connection - Cable
Click to expand...

Be sure your cable modem is bridged (The public IP address is assigned
to your VPN router, not the modem itself). Most cable modems will
auto-configure either way depending on the order in which things are
turned on, which makes cable a last choice for VPN endpoints (every time
the power goes out, you have to reset everything manually). If DSL is
available, I'd see about switching - make sure your DSL provider can set
you up in bridged mode.
Local site
Hardware - T1 > Kentrox Router > Cyberguard SnapGear SME570 > Dell Switch >
XP Clients and Server 2003.
Click to expand...

Once again, be sure the public IP address is assigned to the Cyberguard,
not the Kentrox. I'm guessing the Kentrox is acting as a CSU/DSU for the
T1, which is fine, but you don't want it performing NAT (the Cyberguard
will do that).
Server is the DC / DNS / DHCP server. The IP is set to 192.168.1.10
Click to expand...


All of your clients, local and remote, must be configured to use ONLY
your Active Directory DNS server for the domain to work. Since you have
a Windows server, it's a good idea to also install WINS and configure
your clients to use the WINS server. You can do this with DHCP locally
for sure (just add the option to the scope), and probably remotely by
creating a scope for the remote site's subnet and using the router as a
DHCP relay. I know the Cyberguard can act as a relay, I've never tried
to rely across the VPN, but I can't think of any good reason it wouldn't
work (you can email their tech support - one of the biggest reasons I
continue to use Cyberguard / Secure Computing hardware).
The remote VPN has the following settings (this is where I get confused).
Internet Port
IP - 10.1.5.2 (this is the local IP of the cable router)
GW - 10.1.5.1
DNS - 192.168.10 (Here I have the IP address of Server1, should I have this
set to the DNS addresses of the ISP?)

LAN Port
IP - 192.168.5.1
DNS - 192.168.1.10 (This always changes to match the DNS of the Internet Port)

I also have the DNS Proxy on the VPN set to yes. This being said, what
address should my clients point to when I configure their IP settings? The
VPN? What address on the VPN? The Gateway? The LAN IP? or should they point
to the DNS server?
Are the Network settings correct for this VPN? If not what should I change?

I also have DHCP enabled on the VPN. The Gateway address is set to
192.168.5.1 (The Internet Gateway address) with the Subnet of
192.168.5.0/255.255.255.0. This has been working for me.

Is there anything else I should check on the VPN?
Click to expand...

For an IPSec VPN to work, you normally need public IP addresses directly
assigned to the WAN ports of both VPN Appliances. 10.1.5.2 is a private
IP address so (if I read your post correctly) the LAN side of the remote
router is 192.168.5.1 and the WAN side is 10.1.5.2. Since 10.1.5.2 is
not publicly routable, the assumption is that the ISP is using NAT to
extend their reach without having to secure more public IP address space
(lots of ISPs do this), or the cable modem is in "NAT" mode. You may
need to contact them and get a public (preferably static) IP address
(one end or the other _MUST_ have a static IP address. The setup is
pretty straightforward (I've used both Kentrox and Cyberguard SG. I
prefer to use the same brand at both ends as it appears you have.

Here's an example setup.

Main office:
Address Mask GW
Computers 192.168.1.x / 255.255.255.0 / 192.168.1.1
|
|
LAN Port 192.168.1.1
[VPN Router]
WAN Port 65.234.123.101
|
|
Internet
|
|
WAN Port 64.123.101.102
[VPN Router]
LAN Port 192.168.2.1
|
|
Address Mask GW
Computers 192.168.2.x / 255.255.255.0 / 192.168.2.1

The VPN routers acting as the default gateway device for the LANs with a
properly configured IPSec VPN up and running and the proper remote LANs
configured on each (the LANS at each site must be on different subnets)
will know how to route traffic bound for the other private LAN through
the tunnel, and other off-site traffic to the Internet.

FWIW, I never set up VPNs with the routers already deployed at different
sites. I'll take one of the routers to the other site and get it working
there, then just make the necessary modifications to the WAN IP
addresses for the tunnel endpoints and then move it to its remote
location. To test the VPN, you can look in the log or status page of the
VPN routers. They both need to show the IPSec connection up and the
tunnel established ("phase 1" and "phase 2" usually). Once that's done,
you should be able to ping hosts on the remote LAN. Note that you will
not be able to browse (My Network Places) unless you have a WINS server
and your clients at both ends are configured to use it.

....kurt
 
Back
Top