LAN to Lan VPN

I have an existing lan with about 90 computers. The local lan addresses are 192.168.0.x and the gateway is at 192.168.0.9. I tried adding a new hardware router/vpn at 192.168.0.244 to connect to a small remote network. The addresses on the remote net are 192.168.1.x. The VPN Tunnel seems to be ok, but I can't seem to get the system to work. Packets come in from the remote addresses, but the return process seems to be routing them through the gateway at 192....9. That doesn't work. Is there a problem with two routers on the network? This is my first experience with VPN.

 

You need to set up a static route for 192.168.1.0/255.255.255.0 to 192.168.0.244.

You can do that on each of the PCs, but it should be easier to set it up at the internet router. That is go into the configuration of the router and set up a static route there.

If you are not sure how to do that, post back with the router make and model and we should be able to tell you how to set up the router config.

 

Cool - but which of the two do I add the static route on? I have a DLink DFL-200 at the remote site and a DLink DFL-210 at the main site. When I bought the 2nd router (the 210) I thought it was a later version of the DFL-200. I know that's dumb, but the vendor no longer had the 200 and it seemed reasonable at the time. The 210 is much more complicated.

 

The one your computers are using as their default gateway.

The default gateway is a router that know what to do with packets sent to undefined locations (send them to the internet). By setting up a static route on your default gateway, you are in effect saying "send everything to the internet unless it matches an address accessible via the static route ".

So on a computer you send a network packet to google.com. A route to google isn't defined on your PC, so your PC sends it to the default gateway. It doesn't have a specific route to google, so it sends the packet out to the internet.

Then you send a packet to the network the other side of the VPN. Again the computer doesn't have a specific route defined so it sends it to the default gateway. The gateway router checks the routes it has defined and finds one to the VPN network. It then sends the packet on the route defined by the static route - the packet gets sent to the other (VPN) router.

 

How many Wan IPs do you have on the 90 client LAN?

 

Great description. I added a static route to the VPN and I'm in business. There is still more for me to learn, but you've got my VPN working.

Thanks

 

Use this picture as a sort of a hint...

 

Gor blimey - that diagram reminds me of a few cable cabinets I've seen.

A couple of comments. This diagram assumes that you have a VPN network 10.0.1.0. I don't think that is the case for OldBob's network. It is more likely to be point to point.

Unless network users need to connect directly to nodes in the VPN space, the default gateways do not need to know that the 10.0.1.0 network exists. All they need to know is to route traffic to the VPN router for the distant network. Only the VPN routers need to know about the 10.0.1.0 network. If you remove the 10.0.1.0 routes from the default gateway routers, your configuration will be simplified without affecting the performance of the network, and your diagram will be simplified too.

 

You are welcome.

My idea was to make IP ranges as visually separate as possible (for educational purposes).
I did not intend to force anyone to follow the picture literally...

Actually, it would be absolutely enough to have all three in the 192.168 (or whichever is free and allowed by RFC1918) with the different netmasks but that (I think) is a bit more difficult to grasp at once...

The extra rules (at the actual GWs pointing to the VPN range) are a sort of a "safety-net" ones. Indeed, they are optional.

 

I'm glad about that, as there are few things I enjoy as much as a discussion about networks.

Thoroughly agree with you on that one. And not just for educational purposes. If it is clear to learn, it is clear to use too. Personally, I tend to use the 10.0.0.0 address space for main LANs and 192.168.0.0 space for interconnection networks such as WANs and DMZs.

I don't use 172.0.0.0 private address space very often as I can never remember the specifics of it, and why use an address space that I keep having to check up on, when 192.168.0.0 and 10.0.0.0 are so easy to remember.

In fact they can all have the same masks. Just different third octets: 192.168.1.0, 192.168.2.0, 192.168.3.0. But as you so clearly point out, using different address spaces is clearer.

The danger with this is the repetition and what happens if the IP address space in the VPN changes - for example, you have to change service provider. The more "safety-nets ", the more repetition, the more places that need to be updated if something changes, and the more places where a vital change could be over-looked. TCP/IP doesn't need that level of safety net. It's basic remit was a design capable of surviving a loss of large parts of the network in nuclear attack. In general, with networking simple is best.

 

Yes, that's what I was meant to say - the networks must be different in the IP-range|netmask sence of it.