×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

VPN noob - best way to set up LANs in site-to-site environment?
2

VPN noob - best way to set up LANs in site-to-site environment?

VPN noob - best way to set up LANs in site-to-site environment?

(OP)
I have never set up VPN connections before and I'm hoping that someone can help me figure out what I need to do on the LAN side of things.  I'll figure out the router configuration when the time comes.

Here's the deal:  I intend to have all of my remote offices connect to my main office via site-to-site connections.  Mobile users would connect via a client.  I would like for members of one network to have access to resources on one or more of the other networks via the VPN connection.

Assuming that I would run into problems if each office was using a similar addressing scheme (such as 192.168.1.x), I was thinking that I would need to set up unique addressing schemes like so:
192.168.1.x  Main office
192.168.2.x  Remote A
192.168.3.x  Remote B
192.168.4.x  Mobile users
etc.

Is this even the right thing to do?  Is there some other setup that makes more sense?

Also, for each device that wants to access resources on one of the other networks, it's subnet mask should be 255.255.0.0, right?

RE: VPN noob - best way to set up LANs in site-to-site environment?

2
your addressing scheme is correct. as far as subnet mask, most will typically roll with a /24 (255.255.255.0) depending on client requirements.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: VPN noob - best way to set up LANs in site-to-site environment?

(OP)
My understanding is that if a machine is set up like so:
IP address:  192.168.1.100
Subnet mask:  255.255.255.0
it will be limited to devices that are on it's own network (192.168.1.x)

I want that machine to be able to access the other networks as well as it's own.  I assumed that a subnet mask of 255.255.0.0 would allow me to access access anything starting with 192.168.x.x.  Is this correct or is the ability to get from one network to the other (in a setup like mine) mostly due to how the device managing the VPN connections is configured?
 

RE: VPN noob - best way to set up LANs in site-to-site environment?

not necessarily. a /16 mask (255.255.0.0) will limit the use of the 192.168.x.x address range to a single site. if you were to address main office 192.168.1.0/16, Remote A 192.168.2.0/16, Remote B 192.168.3.0/16, and Mobile users 192.168.4.0/16 you would never be able to communicate properly. example:
1) a client in main office has an ip address of 192.168.1.110 with a SNM of 255.255.0.0 and a gateway of 192.168.1.1
2) a server in Remote A has an ip address of 192.168.2.120 with a SNM of 255.255.0.0 and a gateway of 192.168.2.1
3) if the client in main office wanted to access a web page on the server it would first issue a DNS request (assuming the entry isn't cached).
4) a DNS reply would contain the IP address of the server. the client will look at the ip address and calculate the subnet that it belongs to.
5) the client looks in its local routing table to determine where it needs to send the traffic. the client sees a routing entry for 192.168.0.0 255.255.0.0 out its ethernet interface (for example) so it assumes that the server is connected on the same broadcast domain/network segment as it is
6) the client then issues an ARP request to get the MAC address of the server. there will never be an ARP reply because the server is actually on a completely separate network segment.

now, lets take it how it is supposed to work:
1) the client has an ip address of 192.168.1.110 with a SNM of 255.255.255.0 and a gateway of 192.168.1.1
2) the server has an ip address of 192.168.2.120 with a SNM of 255.255.255.0 and a gateway of 192.168.2.1
3) the client wants to view a web page on the server so it issues a DNS request (assuming the entry isn't cached).
4) the client recieves a DNS response with an IP address of 192.168.2.120
5) the client will look int its local routing table and see that it has an entry for 192.168.1.0 255.255.255.0, miscellaneous multicast entries and loopback entries, and finally a default route of 0.0.0.0 0.0.0.0 192.168.1.1. the client can't find a specific route to 192.168.2.0 255.255.255.0 so it will want to forward the traffic to its default gateway (192.168.1.1)
6) the client sends an ARP request for the MAC address of the default gateway (if not already cached). the gateway responds
7) the client sends packets to the gateway. the gateway strips off the layer 2 header and looks at the layer 3 destination ip address. the gateway does a routing table lookup to see if it has a route to 192.168.2.0 255.255.255.0. if it does it forwards it on. if it doesn't it will send an ICMP destination network unreachable message back to the client

does this help??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

RE: VPN noob - best way to set up LANs in site-to-site environment?

(OP)
If I'm understanding everything correctly, that does appear to answer my question.

Thanks for the info.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close