Vpn multi lan blues

[dexion11]

Hi, I have an interesting problem

I have 81 routers with private subnets behind them

192.68.x.x/24


I would like them all to be able to communicate over a public network with each other. The routers are capable of doing ipsec (but only 40 tunnels.)

They can also act as pptp and l2tp servers.


I have a windows 2000 server in the middle to be a hub.

The problem is I can not get all the networks talking to each other. The 2k server can talk with them all and the networks can all talk with the 2k server.

I just can not wrap my brain around around the problem enough to get them to use the 2k server as their hub. The problem is the routers have been hobbled somewhat by not allowing static routing to be put on the WAN connection. Routes can only be added to the clean side.

I can use the 2k server as a router and even install extra nics, but I just can't seem to get it all to work. I had (somehow) gotten my test bed of 3 routers and a 2k server to talk altogether, but they stopped suddenly without my doing anything. I can't duplicate the success.

I have tried everything I can think of. This would be so much easier if I could just route everything through the vpn tunnels.


Is what I am trying to do possible (I thought it was even though the routers are hobbled as they are, but now I am unsure)

thanks
dex

The routers are supposed to be able to do rip, but the 2k server never recieves any replies. The routers are dlink 804hv's (not my choice for this type of thing unavoidable, but I keep thinking it should work.)

 

[OdiN]

Have you tried to do it without the Win2k Server? I'm not sure it's possible to use that server as a hub like that. What about bandwidth requirements of 81 different networks going through one NIC?? Also, is the public network your own or is it the internet or what? Also, I'm not sure how a VPN would help if it's your own public network.

Can the networks on one side of the Win2k server talk to each other? I'm not picturing your setup in my head...can you be a bit more detailed about location and connection methods between the different routers/networks?

As for the DLink stuff...never really liked their stuff and it sounds like you would be better off with some Cicso equipment, expensive as it may be.

 

[dexion11]

Ug this just keeps getting worse.

HEH


Ok never mind the quantity of routers and subnets lets take my test bed for example.

I have 2 dlink's and the w2k server


dlink1 = pub 10.176.249/24 private 192.168.0.1/24

dlink2= public 10.2.176.248/24 private 192.168.10.1/24

The w2k server = 10.2.176.86

Ok routing is set up on the w2k server.

I created 2 pptp tunnels from the w2k server to the 2 dlink routers to the private sides (192...)

I then set up 2 static routs for the 2k server to find the remote private subnets.

I set the dlinks up as pptp servers.

Both dlinks are able to talk to the w2k server through the lan OR through ipsec filters but that is not needed in this cas.e

The w2k server is able to hit BOTH private networks and both (duh) public pipes.

BUT even though and here is what makes me want to chew my own foot of, I set the default gateways on the dlinks to the public IP of the w2k server they STILL can not communicate with each other's private network.

I.E. 192.168.0.1/24 can not ping 192.168.10.1/24 and vice versa. Even though their DG is the w2k server that rougts the packets and can talk with both private lans.

When I test a client behind the dlinks they have full connectivity to the internet, the local 10.2.176.0/24 lan and the w2k server.


When I trace things out it goes from the client, to the router (dlink) to the w2k server and where it needs to go.


EXCEPT when I try to hit the private lans from either dlink.
It goes for example:

192.168.0.124 ---->192.168.0.1----->10.2.176.86------->10.2.176.254 (the default gateway of the w2k server)



I must not have a good enough grasp on routing although this just should be a piece of cake.


I can create pptp or ipsec tunnels BETWEEN each router and they will then communicate fine between themselves, but there is a LIMIT of 40 tunnels built into the routers. I have to make 82 tunnels.

These results are duplicatable with 2 way Ipsec tunnels to the w2k server from the dlinks also.

Any help would be appreciated.

thanks dex

 

[ToeJam13]

It may be that the DLinks can not route through the VPN tunnels that they themselves are terminating. Also, your static routes may be confusing the routing tables of the Win2K Server.

Before any tunnels are created, your Win2K server should have a routing table that looks something like this:
[*]0.0.0.0 via 10.2.176.254
[*]10.2.176.0/24 via 10.2.176.86

Dlink1 should have these routes:
[*]0.0.0.0 via 10.2.176.86
[*]10.2.176.0/24 via 10.2.176.249
[*]192.168.0.0/24 via 192.168.0.1

Dlink2 should have these routes:
[*]0.0.0.0 via 10.2.176.86
[*]10.2.176.0/24 via 10.2.176.248
[*]192.168.10.0/24 via 192.168.10.1

When you create a PPTP tunnel from your Win2K server to the internal side of the DLinks, the server is assigned an IP address to its virtual tunnel device. Lets say that its assigned these two addresses:
[*]192.168.0.254
[*]192.168.10.254

Your Win2K server should now have the following routing table:
[*]0.0.0.0 via 10.2.176.254
[*]10.2.176.0/24 via 10.2.176.86
[*]192.168.0.0/24 via 192.168.0.254
[*]192.168.10.0/24 via 192.168.10.254

The next issue is how clients on the 192.168.x.x networks forward traffic through the PPTP tunnel address. The DLink may not be able to forward traffic to tunnels terminated upon itself. If this is so, the DLinks will be an inappropriate address to use as a forwarding address. You may need to add an extra route to the clients to route directly to the tunnel address. Here is an example for the 192.168.1.0 network:
[*]route add 192.168.0.0 mask 255.255.0.0 192.168.1.254

Now, the thing which seems to be failing is routing using the PPTP interfaces. It may be that Windows 2000 will not use a PPTP network interface as a valid forwarding device. I don't have any documentation that says if this is true or not, but I can't see the problem. This may be your problem, and it may be a limitation of Windows.

I also see a possible problem with the two static routes you are adding to your Windows 2000 server. If the DLink units are configured in stateful firewall mode instead of an ipforwarding router, then your routes will kill the packet forwarding. Any device which is configured in NAT/firewall mode will not pass traffic from an untrusted network to a trusted network. That's how firewalls work.

Since the Windows 2000 box has a local address on each of the 192.168.0.0 networks, these routes are moot anyways, since the 2000 box already has a route to these networks.

 

[dexion11]

right there are huge limitations on the dlink boxes.

They will not allow you to set a route that impacts the wan link ONLY the lan side.

They will also not dial out but will only act as servers EXCEPT with ipsec. They will initiate and accept tunnels both ways. But I have failed in getting them to cummunicate with the other private sides through the 2k box.

I was toying with the idea of creating a tunnel that would be used for the lan sides of the private routers through the 2k box. Ie create a tunnel from 192.168.0.0.24 saying anything for lan 192.168.0.0/16 create a tunnel with the 2k box (which has a tunnel to the other lan already in place) but I can't logicaly wrap my head around that either. I can't initiate the tunnel to the 2k box because it doesn't consider the 192.168.0.0/16 lan to be served by itself so no route can be made.


I can create ipsec tunnels from the dlinks to the 2k box but I can't get the 2k box to route packets to the other lans with ipsec or pptp. (I can configure the 2k box to dial out to the dlinlks and connect as remote routers and then static rotues to the subnets. The 2k box is fine and the dlinks can talk to the 2k box all at once. But I still can't get the 2k box to route packets to the other lans for the dlinks.

I may just have the wrong routers. But, for the moment it is all I have.


I perhaps can make 40 tunnels between the first set of routers giving them a 192.168.1-40.0/24 mask and then dial into one of them with the dlink and set the 2k box to use the dlink as its default gateway. Then create 40 tunnels for the others on a 172.168.1-40.0/24 mask and and try to route between them somehow. But, I fear I would then have 2 networks of 40 subnets that can not talk with each other. Which while better, is almost as bad.

Ugg.