Routing... IP Forwarding.

[Guest]

Hi,

I have currently 5 sites in my company.

VPNs and routing, internet access is provided by Win2k Servers with dual
network cards.
Site C (branch office) can reach Sites A and B (head office).
Site D (branch office) can reach Sites A and B (head office).
Site E (branch office) can reach Sites A and B (head office).
All links via VPN over the internet with demand dial interfaces. Sites A and
B have fixed public ip adresses. Sites C and D don't (so connections from
there are one way.)

However I'm having trouble getting Site C to access D and E.
As well as the other way around. It seems Routing only forwards internal
addresses.
There are no input output filters active preventing this traffic.
IP-adresses for demand dial interfaces are assigned from a fixed group
(different subnet than the rest of the networks).

I've tried implementing RIP but I don't know which interfaces should be
activated in RIP?
I've tried adding a static route (pointing to Site D) at Site C going
through the same interface as Site A but the server at site A doesn't forward
this to Site D. (although the server in Site A has a static route pointing to
Site D)

Can anyone help me with the two following items?
- how can i get routing and remote access to work properly (the futur model
of our company will be hub and spoke so I have to get routing to properly
work at site A and B).
- how to implement RIP correctly.
- Which interfaces need to be enabled? (internal lan, WAN, demand
dial?)
- What settings should I change so my network will automatically
remain up to date.

Kind regards,

david

 

[Kurt]

You can't use RIP (or any other routing protocol) on demand-dial. Set them
up as regular VPNs. If you need them to start up automatically when the
computer reboots, look into a startup script using "rasdial". Also, you'll
need to enable "KeepRasConnections" registry key so you can start-up and
stay up when not logged in. You can configure them to redial if dropped so
you'll stay up most all the time. Obvoiusly, all sites must be on different
subnets, no two can be the same. One-way PPTP connections only connect the
PPTP client to the server's network, not the whole client LAN. That's
probably your trouble. Either way, there's just not enough routing here to
consider using RIP. Now I'm going to make a bold statement - spend a few
bucks and buy some VPN appliances! You'll never look back. Your troubles
will be over. I really like the "Secure Computing SG300" (No, I don't work
for the company!). Here's why.

1) They will do IPSec, L2TP and PPTP VPNs (all at the same time).
2) They DON'T require a separate client (or Licen$e) for each connection.
3) You only need a static IP at the head end - branches can be dynamic.
4) IPSec tunnels just require a "shared secret" (password).
5) There is a Wizard and good examples on the CD.
6) You can also configure it as a PPTP server and mobile Windows boxes can
connect from the hotel room using their built-in MS PPTP client.
7) They have a super ACL firewall based on iptables.
8) Their support is fabulous - email based, but quick responses and I've
NEVER had to take out my credit card to get help

Number 8 is reason enough.

For LAN-to-LAN you want an IPSec tunnel. I use the SG300 all the time.
They're more versatile and configurable than Linksys and about the same
price.

....kurt