dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8962
dgeesaman
join:2003-07-10
Lemoyne, PA

dgeesaman

Member

Setting up a site-to-site VPN

I'm trying to set up a site-to-site VPN between two business locations. Each site has less than 5 users who need to connect to the SBS2003 server for their Exchange needs. My goal is to connect with higher throughput and without them having to use the MS software VPN and connect through the SBS 2003 server.

Remote site = Comcast Business class with one static IP and a Netgear UTM 5.
Server site = Verizon FiOS with one static IP and a Netgear UTM 10. SBS 2003 serves Exchange and a few shared folders, no web service.

Here are my challenges:
1) Remote Site = Comcast Business class over a SMC 8014 Gateway. Based on my reading, this does not support a hardware level bridge that is required for IPSec VPN connection.
1a) I have FiOS at home without a static IP. Is there a way I can still use this location to test out the connection between my home and the datacenter site?

2) Is SSL VPN a safe alternative if I can't overcome the SMC 8014 limitations to use IPSec?

3) If I can't get the broadband routers to work in true bridge mode and must use SSL, would it be reasonable to enable a DMZ on each broadband device and put the UTM's on the DMZ?

4) IP configurations are not my strength. (I'm a mechanical engineer by day, so I have 2-bit IT skills in an 8-bit world). I would love a suggested IP configuration (IP address ranges and subnet masks for each side of the site UTMs) for both ends that will not conflict and allow any client on one side to talk with any client on the other.

At the server site I have the 192.168.1.* / 255.255.255.0 - between the broadband and the UTM10, and 192.168.2.* / 255.255.255.0 inside. At the remote site I have 192.168.3.* / 255.255.255.0 between the broadband and UTM5, and 192.168.4.*/ 255.255.255.0 inside the UTM5.

Thanks for any advice you can offer.
jimbopalmer
Tsar of all the Rushers
join:2008-06-02
Greenwood, MS

jimbopalmer

Member

One spoke of my Hub and Spoke VPN uses a SMC 8014 in bridge mode, I called Comcast as using it as a router defeated my VPN, that had worked for years with a SB5101.

I use 6 RV042 routers to connect to a RV082 at the hub. Throughput will be your upload speeds, not your download speeds.

bdnhsv
join:2012-01-20
Huntsville, AL

bdnhsv to dgeesaman

Member

to dgeesaman
1. The smc8014 can be placed in bridge mode.

1a. You'd need to make a note of your current IP address at home for use in the HQ UTM if needed. You'd also need to set up port forwarding in your home router and assign the UTM at your home to a static private IP (192.x.x.x).

4. The IP's of the 2 UTM's should your 2 public static IP's. So you don't need the 192.x.x.x address space between the ISP routers and your UTM's. You LAN addresses seem fine. You'll have to configure a portion of your 192.x.x.x LAN space for use as remote VPN clients at your HQ site in the UTM. I've never used that make/model so I can't offer specific advice on that. If you have 5 remote users you'll need atleast 5 IP's in that pool though.
dgeesaman
join:2003-07-10
Lemoyne, PA

dgeesaman

Member

Thanks for the comments.

Regarding SMC8014 bridge mode, did you simply assign the SMC's static IP to the device internally, which is supposed to kick it into bridge mode, or did you have to call Comcast and cajole them into forcing it from their side?

I know I tried this once with a Checkpoint UTM1 and even when we thought we had it configured correctly, it did not in fact work. The issue was chalked up to be due to the Checkpoint IPSec implementation combined with the 8014 using a "virtual" bridge that did something to alter the data packets.

David

bdnhsv
join:2012-01-20
Huntsville, AL

bdnhsv

Member

If you have paid for a static IP then Comcast/Verizon should have provided you with information about your IP (address itself, subnet mask, default gateway and dns servers to use). In the case where you have 1 IP it will usually be the next IP after the one on the WAN side of your ISP's modem/router, and your default g/w will be the IP address of the WAN side of the ISP modem/router. Double-check with them if you don't have this info handy. As for bridge mode - it's just a check box or two for them in their modem/router. You'll need to be ready to handle your own DHCP, routing etc in your LAN (again I have never used your equipment so I can't provide details of how to configure your UTM's).
bdnhsv

bdnhsv to dgeesaman

Member

to dgeesaman
One more quick note - I didn't directly answer your question about calling Comcast. Yes call them and request they put their device in bridge mode. They'll do it. Just make sure you also have the info you need to configure your device.
dgeesaman
join:2003-07-10
Lemoyne, PA

dgeesaman

Member

OK, got it working. Thanks for the help. I wanted to be fairly sure this was my answer before I committed to breaking down the current setup at each site since they're an hour apart and I don't want to lose all weekend on this.

I set up each broadband gateway into bridge mode.

The FiOS ActionTec details are here:
»How-to: make ActionTec MI424-WR a network bridge
The LAN here is 192.168.2.x / 255.255.255.0

The Comcast SMC 8014 details are here:
»[Business] how to bridge a smc 8014 business class modem
The LAN here is 192.168.4.x / 255.255.255.0

For the record, the Netgear UTM5 and UTM10 connected flawlessly using an IPSec connection with the defaults. Obviously you'll need static IPs at each end.

So far so good.

bdnhsv
join:2012-01-20
Huntsville, AL

bdnhsv

Member

Glad to hear it's working for you.