62 replies to this topic

[htcz]

Xenosion, on 04 May 2012 - 16:44, said:

If you want to do as little as possible, then I suppose those devices you linked are fine, but not what I would use.

If you have any industrial VPN routers in your head, go ahead and list them!

[+sc302]

I mentioned some brands before...

How bout a cisco asa 5505 or a 5510, or a sonicwall tz170 or tz180 or even a tz210, maybe a juniper sa vpn appliance. I have had the liberty to play with a vpn solution by netmotion, it is pretty slick, client based vs site based, but very expensive, it is designed for mobile clients using cellular service to connect into the network...what is slick about it is that if you loose signal the vpn client holds the connection until the signal comes back, this is very important to those with citrix or rdp connections. Those specific connections do not end, causing end users to loose work or having to re sign on, it pauses the connection like it is frozen while there is no signal and when your signal comes back it is as if you never dropped out of the session. Biggest complaint with netmotion is that their screen freezes, and I have to constantly explain that it is supposed to do that because you lost signal (users drive around with laptops always on and connected in their cars).

[htcz]

sc302, on 05 May 2012 - 15:01, said:

I mentioned some brands before...

How bout a cisco asa 5505 or a 5510, or a sonicwall tz170 or tz180 or even a tz210, maybe a juniper sa vpn appliance. I have had the liberty to play with a vpn solution by netmotion, it is pretty slick, client based vs site based, but very expensive, it is designed for mobile clients using cellular service to connect into the network...what is slick about it is that if you loose signal the vpn client holds the connection until the signal comes back, this is very important to those with citrix or rdp connections. Those specific connections do not end, causing end users to loose work or having to re sign on, it pauses the connection like it is frozen while there is no signal and when your signal comes back it is as if you never dropped out of the session. Biggest complaint with netmotion is that their screen freezes, and I have to constantly explain that it is supposed to do that because you lost signal (users drive around with laptops always on and connected in their cars).

Those look like great products (I think one is even cheaper than the models we were looking at but again) I dont see nothing of this size:

http://www.netmodule...0-Wireline.aspx

The end device is NOT a PC: This has 2 digital outputs and a RS-232 which Ive been communicated are needed. Also the USB port is a plus because if not network transfers are required and as you see that is impossible (red line) for the client at hand to transfer from inside his own network.

[htcz]

htcz, on 04 May 2012 - 15:48, said:

Another thought I just had if 192.168.1.4 from 80.39.34.23 (Site A) connects to 90.34.23.12 (Site B) which has 192.168.100.100 (the router), on that side I would get a new IP called 192.168.100.78 (70s range is reserved for VPN connections) I couldnt get a PC on Site B (lets say 192.168.100.23) to ping 192.168.1.4 because it still would not see it! This would be a PC to PC VPN connection.

I apoligize if I missed the answer to this question

[+sc302]

how exactly are you setting up your pc to pc vpn? You may not be allowing IP traffic across the vpn (as simple as that may sound it isnt that simple). What are you using? As you can imagine there are a million and one different vpn solutions and some are much more configurable than others.

For instance if it were cisco, it would probably be a nat issue. the vpn traffic needs to be taken out of nat or be put into a no nat rule. Also another issue would be if the pc had an interface that has the same ip range as the vpn'd network. Though it could be one of the 15 other rules needed to have a successful tunnel up...that is just one that gets missed.

[htcz]

sc302, on 07 May 2012 - 03:39, said:

how exactly are you setting up your pc to pc vpn? You may not be allowing IP traffic across the vpn (as simple as that may sound it isnt that simple). What are you using? As you can imagine there are a million and one different vpn solutions and some are much more configurable than others.

For instance if it were cisco, it would probably be a nat issue. the vpn traffic needs to be taken out of nat or be put into a no nat rule. Also another issue would be if the pc had an interface that has the same ip range as the vpn'd network. Though it could be one of the 15 other rules needed to have a successful tunnel up...that is just one that gets missed.

We dont have the equipment yet per say. Since we have seen that the routers Ive mentioned (NB2500 and NB1600) are working off a OpenWRT base and currently there are no alternatives for the siutation at hand, then we are testing on OpenWRT VMs.......

[+sc302]

post up your config, obscure your ip addresses if you want.

here is a write up. sorry it took so long to respond back, was in deep do doo yesterday.

https://forum.openwr....php?pid=145557

something sounds as if it is missing..

here are the instructions, may take a few days to read through to fully understand what is going on.

http://wiki.openwrt....to/vpn.overview

[htcz]

sc302, on 08 May 2012 - 14:03, said:

post up your config, obscure your ip addresses if you want.

here is a write up. sorry it took so long to respond back, was in deep do doo yesterday.

https://forum.openwr....php?pid=145557

something sounds as if it is missing..

here are the instructions, may take a few days to read through to fully understand what is going on.

http://wiki.openwrt....to/vpn.overview

Thanks

I wanted to try this with VMs but the other day I accidently touched something in my OpenWRT VM and the DHCP server on it (dnsmasq) overrid the network's DHCP and started to hand out its own IPs so I had to take it off line

Anyways I already saw and tried the first link and it is outdated as now opkg is the package manager. Is there any way to download this external and put it on the VM to test it out?

[htcz]

The yellow dots are equipment I have control over (the switch on the left side problably also)


On the bottom side, with have 2 PCs and a router. Nothing else.

On the top side, with have a already in place router. The right side (crossing the red line) is a office area which I have no access to and the right side should not know about the left side and visaversa. The "problem" is that (initially) I dont have access to that first router. Moving on: On the left side of the top side of that first router, we have a router running OpenWRT (possibly the NB2500) and a switch (again that switch I will problably have access to). Later those are end clients but they are NOT PCs. As a matter of fact, NOTHING on the left side at all will be a PC. They are simply machines. They DO however (if the NB1600 is chosen) have a configuration with OpenWRT.

Also, this is a industrial type setup. Reason why I cant just go with DD-WRT routers and call it a day (I dont think I would even convince my boss and anyways we need something like the NB1600)

Continue on that last line, the main probelm is the NB1600. I need that form factor/type of product for the machine they are attached to.


sc302, thank you for all your help and I hope this hast description helps you out on understanding and giving me a bit more information

Thank you!

[+sc302]

The router that is hosting vpn needs to be on the edge, not behind another router that is doing nat. this can and will create issues if not done correctly. If you can have your router that you have control of access the outside directly that would be ideal, perhaps in a dmz that is not natted.


Would need to see the config one way or the other to try and make sense of what is going wrong. There are a lot of things that can stop you from commuicating, no routes setup, natting enabled on vpn traffic, and a few other things. to get down to the bottom of it as quickly as possible and to point you in the right direction I would need to see your config. I have given you the docs, even if old, that would get you there....and I am sure if you look at youtube you can find a video that will step you through the entire process. The technology doesn't change, the screens or places to check may.

[htcz]

sc302, on 10 May 2012 - 16:19, said:

The router that is hosting vpn needs to be on the edge, not behind another router that is doing nat. this can and will create issues if not done correctly. If you can have your router that you have control of access the outside directly that would be ideal, perhaps in a dmz that is not natted.


Would need to see the config one way or the other to try and make sense of what is going wrong. There are a lot of things that can stop you from commuicating, no routes setup, natting enabled on vpn traffic, and a few other things. to get down to the bottom of it as quickly as possible and to point you in the right direction I would need to see your config. I have given you the docs, even if old, that would get you there....and I am sure if you look at youtube you can find a video that will step you through the entire process. The technology doesn't change, the screens or places to check may.

Related to that, this is the setup that was shown to us by a 3rd party (the distributor of this equipment) and this does indeed work:



Its a little different but one of the routers we always have control over physically instead of having it remotely. The one that would "host" VPN would be the one on the bottom on our side (bottom). The rest would basically be clients.

[+sc302]

how are you routing data? do you have layer 3 switches in place to be able to handle routes? or are your specifically adding routes into the client pcs to state where to steer traffic to?

for simplicity sake, on the edge, there is less to troubleshoot when something fails. but if you really know what you are doing, how traffic works, and how to make things go it can be anywhere...how much troubleshooting to you know how to do? do you have a full understanding of how routing works, how port traffic works, and where things can get hosed along the way? If not, keep it as simple as possible with the least amount of possiblity to block and route along the way.

[htcz]

sc302, on 10 May 2012 - 16:40, said:

how are you routing data? do you have layer 3 switches in place to be able to handle routes? or are your specifically adding routes into the client pcs to state where to steer traffic to?

for simplicity sake, on the edge, there is less to troubleshoot when something fails. but if you really know what you are doing, how traffic works, and how to make things go it can be anywhere...how much troubleshooting to you know how to do? do you have a full understanding of how routing works, how port traffic works, and where things can get hosed along the way? If not, keep it as simple as possible with the least amount of possiblity to block and route along the way.

The thing is that this is not something I choose. This is the setup already given and I cant change it as we dont do tech stuff. We just setup the configuration on our end.

The current setup (without VPN equipment) is something like:



I put R1 and R2 because after talking to my boss, it might have seem that the other company mixed up details and instead of 2 routers, there is only one.

[+sc302]

Depending on the client, you could have a pc establish a VPN connection to the router, but from what you said you wanted an entire site to site VPN. You need to be specific in what you want and you also need to be specific as to what the client pcs are.

Site to site requires 2 edge VPN routers. Client to site requires 1 edge VPN router and a client that can be configured for VPN either natively or through add on software. If the client is a serial connection then that cannot be configured, the machine that that connects to would have to be configured. You lack a bit of details to get this working, and I am trying to ask the right questions to help you.

[htcz]

sc302, on 11 May 2012 - 01:02, said:

Depending on the client, you could have a pc establish a VPN connection to the router, but from what you said you wanted an entire site to site VPN. You need to be specific in what you want and you also need to be specific as to what the client pcs are.

Site to site requires 2 edge VPN routers. Client to site requires 1 edge VPN router and a client that can be configured for VPN either natively or through add on software. If the client is a serial connection then that cannot be configured, the machine that that connects to would have to be configured. You lack a bit of details to get this working, and I am trying to ask the right questions to help you.

I apoligize for not giving correct answers to your questions.

The end clients are basically industrial machines. Running on propiratory software, we want this system to able to do two things: Remote support and also transfer predone files (basically files, which are binary files that the machine understands) from our end to over there.

The USB port on the routers I mentioned (NB2500 and NB1600) allow to have some temporal space to transfer those files and read it via a share.

I BELIEVE Im not leaving out any details. If you need any more, just ask

Thanks and once again I apoligize for not answering your questions.