Site to site VPN

djg85 · 1 May 2012 at 10:03

Hi Guys

First time poster but long time reader of forums. I'm wanting to connect my current home network to the network I've setup at my parents but am having a lot of bother in setting this up. I don't really know anything about VPN's etc and am unsure on the best way of doing this. There is a Server2008r2 machine at each location at present dealing with AD/DNS/DHCP. Current setup below:

Site A

Server1 (Esxi5): Running 2008 R2 (AD, DNS, DHCP).
NAS01: Running UnRAID (used primarily as media server and local storage of user files/backups).
Router: VM Superhub.
Broadband provider: Virgin Media (50Mb).
IP range: 192.168.0.xxx
Gateway: 192.168.0.1
Domain: home.local (local domain).

Site B

Server2 (Esxi5): Running 2008 R2 (AD, DNS, DHCP).
NAS02 (Esxi5): Running UnRAID (used for same purpose as NAS01)
Router: Sagemcom F@ST2504n (Running base Sky firmware)
Broadband Provider: Sky (approx 6Mb)
IP range: 192.168.1.xxx
Gateway: 192.168.1.1
Domain: home.local (local domain)

Both servers were originally set up on the same site and Server2 was set to replicate server1 for AD. Both servers were talking quite happily to each other on the same network before I moved server2 to its current location. Both servers have two NIC's installed (Promiscuous mode enabled on the NICS for the VM's)

I assume I need to setup some form of VPN tunneling however am unsure on the best way of doing this. I've seen a few posts about Logmein Hamachi however I believe the best way of setting this up would be as a mesh network. I tried following a guide for this (Link) which advised enabling IP routing on both machines and setting static routing between the two servers however I get errors when trying to do step 10 (setting the static routing). I can browse both servers shared folders using the Hamachi program but can't browse them using computer/explorer.

Is there an easy way to set this up or another tool/way of doing this? I don't mind using any of the built in stuff in 2008 but I assume the default VPN roles/features options wouldn't be any use to me as I don't have static WAN IP's for the internet side of things. I've also noticed the Sky firmware on the router is really poor with no static routing options (best it has is the usual DMZ option for a single IP and an option to setup a dyndns account). Can't remember what the VM hub has but I'm sure it's got a lot more options including static routing.

Can anyone offer any advice on the best (easiest) way of setting this up?

Skidilliplop · 1 May 2012 at 13:22

Install pfSense in a VM on each machine, configure an IPSec VPN between them.
Possibly configure static route on each router for the remote network pointing to the pfSense LAN interface as the next hop.
You may also need to turn on VPN passthrough if the router supports it, or manually forward ports 500 TCP and 4500 UDP to the pfSense WAN interface.

You could do it using Server 2008 but for a novice pfSense is easier.

Note the subnet at either end cannot overlap. If site A has 10.0.0.0 255.255.255.0 site B can have 10.0.1.0 255.255.255.0 etc. They must be different or things will get complicated once you introduce NAT

bremen1874 · 1 May 2012 at 13:45

Without a static IP at either end Hamachi is a sensible option. Setting up the static routing should be fairly simple, what syntax are you using, and what's the error you're receiving?

LizardKing · 1 May 2012 at 14:21

Check if your routers support DynDNS if so then set them up for that, no need for static ip's then

Skidilliplop · 1 May 2012 at 15:44

LizardKing said:
Check if your routers support DynDNS if so then set them up for that, no need for static ip's then

Router doesn't even need to support it, pfSense will be able handle DynDNS for you.

djg85 · 5 May 2012 at 16:33

Had a few other things to sort out over the last few days so never had much of a chance to come back to this. But need to get this all sorted as soon as possible now so it's got my full attention.

I'm not sure if I will be able to set this up using Hamachi or pfSense as I can't do any static routing on the Sky router. Not sure if a DMZ passthrough would work (I'm assuming it would) but I don't really want to open the server to the net in that way. I'd never heard of pfSense before and it looks very interesting however Himachi seems far easier to setup and seeing as I've already got it installed I think I'll try and get it working fully first. I'll no doubt tinker about with pfSense on a few VMs at some point soon!

Anyway here's where I'm at now...

Hamachi is installed on both servers. Both servers can ping each other using their Hamachi IP's but cant using local 192.168.x.x IP's. When I try and setup the routing in the command prompt on each server the routing table doesn't update but I can't see any error. There probably is one but the output I get makes me think I'm not even typing the command properly!

Here's what I'm entering:

On server1:

Code:

route –p add 192.168.1.0 mask 255.255.255.0 HAMACHI_IP_OF_SERVER2 /p

On server2:

Code:

route –p add 192.168.0.0 mask 255.255.255.0 HAMACHI_IP_OF_SERVER1 /p

Output when running command on server1:

Code:

C:\Users\Administrator>route -p add 192.168.1.0 mask 255.255.255.0 xxx.xxx.xxx.xxx /p

Manipulates network routing tables.

ROUTE [-f] [-p] [-4|-6] command [destination]
                  [MASK netmask]  [gateway] [METRIC metric]  [IF interface]

  -f           Clears the routing tables of all gateway entries.  If this is
               used in conjunction with one of the commands, the tables are
               cleared prior to running the command.

  -p           When used with the ADD command, makes a route persistent across
               boots of the system. By default, routes are not preserved
               when the system is restarted. Ignored for all other commands,
               which always affect the appropriate persistent routes. This
               option is not supported in Windows 95.

  -4           Force using IPv4.

  -6           Force using IPv6.

  command      One of these:
                 PRINT     Prints  a route
                 ADD       Adds    a route
                 DELETE    Deletes a route
                 CHANGE    Modifies an existing route
  destination  Specifies the host.
  MASK         Specifies that the next parameter is the 'netmask' value.
  netmask      Specifies a subnet mask value for this route entry.
               If not specified, it defaults to 255.255.255.255.
  gateway      Specifies gateway.
  interface    the interface number for the specified route.
  METRIC       specifies the metric, ie. cost for the destination.

All symbolic names used for destination are looked up in the network database
file NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.

If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.

If Dest contains a * or ?, it is treated as a shell pattern, and only
matching destination routes are printed. The '*' matches any string,
and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.

Pattern match is only allowed in PRINT command.
Diagnostic Notes:
    Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
    Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
             The route addition failed: The specified mask parameter is invalid.
 (Destination & Mask) != Destination.

Examples:

    > route PRINT
    > route PRINT -4
    > route PRINT -6
    > route PRINT 157*          .... Only prints those matching 157*

    > route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2
             destination^      ^mask      ^gateway     metric^    ^
                                                         Interface^
      If IF is not given, it tries to find the best interface for a given
      gateway.
    > route ADD 3ffe::/32 3ffe::1

    > route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

      CHANGE is used to modify gateway and/or metric only.

    > route DELETE 157.0.0.0
    > route DELETE 3ffe::/32

So what am I doing wrong :confused:

Thanks for the help so far guys.

bremen1874 · 5 May 2012 at 17:55

Loose the /p at the end. There's no output if the command succeeds. Check the results using ROUTE PRINT.

djg85 · 6 May 2012 at 11:04

Thanks for that bremen1874, lost the /p and same sort of results. lost the -p as well, no change. So had a good think about what could possibly be causing this and realised I wasn't running CMD as admin. Tried that and sure enough I got the "OK!" after running the command and both routing tables have a persistent route now

I can now ping and access both servers from each other using their local 192 IP's. I can also access the VM superhub from server2 but I can't access or ping the Sky router from server1. Tried turning on DMZ and pointing it to the server on each router but this made no difference (I think the Sky router is not retaining the DMZ entry for the server anyway). Also found out that there is an option for static routing on the VM router however this is greyed out and from what I've read on the VM forums it's not supported. So it looks like if I want to setup any sort of static routing then I'll need to put the superhub into modem mode and plug another router into that. Not something I was wanting to do but at least its possible.

My main issues now are at the Sky end as I believe I cant swap the router out as Sky don't allow this and there's no routing options on this box. I should surely be able to ping and access the Sky router from server1 as well at present? And even although I can access the VM hub from server2 I still can't access any other devices on that LAN (nas01 for example). I'm assuming that's because theres no static routing setup on the router?

Any ideas on how to proceed?

bremen1874 · 6 May 2012 at 13:07

You'll need to configure static routes on all the devices you want to have working across the VPN. Linux has very similar commands for adding routes.

djg85 · 10 May 2012 at 09:25

Surely if there is a DNS/DHCP server at each end that should allow me to browse both networks if I can see the server? I think I still need to setup static routing to send all VPN traffic to the server first. I'm just going to replace the Sky router with a Billion Bipac 7700N. It breaks the TOC with Sky but seems a lot of people are using their own routers for various reasons including the limitations of the supplied router. The Billion also allows static routing and has a whole load of other features to tinker with. Still trying to figure out the best router for the Virgin end of the line though.

To be honest I only need to access the two servers and two NAS's but I would like to be able to access these from any other device on the networks which is where the problem with adding devices with hamachi would come up. It's got a limitation of 5 devices for the free service and I want to keep things as simple as possible. I thought if I created a mesh between the two servers that would effectivly join both networks? Still don't know why I can ping the VM router from the server connected to the Sky one but I cant ping the Sky router from the server on the VM one :confused:

. Hopefully once I've got better routers in place it will work.