Results 1 to 17 of 17

Thread: 2 offices connected by tunnel VPN site-to-site and 1 domain - i need some help/info!

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    16

    Question 2 offices connected by tunnel VPN site-to-site and 1 domain - i need some help/info!

    Hi to everybody, i need some infos/help about the situation described above.
    I've got 2 offices with 2 xDSL lines each one. Today im buying 2 ZyWALL to create a WAN / VPN Failover system between theese offices.

    In the main office there's a Domani Controller (win2003) and in the branch office there's a simple Workgroup.
    After i'll create the VPN tunnel i would like to merge the computers in the workgroup into domain.
    What i have to do for it? Set both ZyWALL with primary DNS Server the IP of the win2003 computer?
    I know that i must have the two LAN on different subnet, but having this situation it's still possibile "see" all the computer in a unique group under explorer in windows?

    Thanks to anyone could help me and sorry for my mistakes, my english is not so good!

    Bye from sunny Italy

  2. #2
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,876
    You got it. Say the main office is 192.168.0.xxx with the server at 192.168.0.11...

    And your remote office is 192.168.1.xxx.

    Workstations at the remote office should have 192.168.0.11 as their primary DNS server. Put the ISPs 2x DNS servers as the second and third DNS...in case the tunnel breaks, they can still surf the net.

    To actually join the domain, if they haven't yet, you may have to do an extra trick...in TCP properties, advanced button, DNS tab..down on the bottom enter the 2K3 domains full DNS name..ex...acco.local..and put a check in "use this connections DNS suffix is DNS registration". Can remove once joined the domain.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  3. #3
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Tnx a lot! Very clear answer!
    If i encounter some problems i'll come back to ask for ur help!

    Another thing: if i want that my win2003 server acts as DHCP server i've to do the same thing on the remote router and put the ip of my server as DHCP Relay, right?

    So, the router it's like a bridge between the 2 subnet?

    Tnx again.


    FABIO

  4. #4
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,876
    Better tunnel performance if netbios passthrough is not enabled...but if you have 2K/XP clients..they'll do it all through DNS anyways.

    One thing though...VPN tunnels are slow...yes you can browse through network places and get to shares...however....well, what's your goal, or reason, for connecting the sites? What does the main office have, that the satellite needs? Database? Common program?
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  5. #5
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Ok, it's my case: i got all xp pro and 2k. I know that having the remote computers alltogether in the explorer window doesn't mean that i can surf em like on a real LAN
    My goal is can have all computers under the same domain and apply gruop policy to remote user, actually act like admin!! that's no good. So i want it just for autentication and put under a strict users policy all users in my offices.

    Seeing the computers all in the same group in explorer window is cause i like the idea! i always love do it!!

  6. #6
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,876
    OK...just making sure you weren't trying to cram some program through the tunnel like Quickbooks or something. Those don't do well. You can get some database programs such as something SQL driven to run through a tunnel...one use or so..will be a little slower. If need lots of users to use a common program though, this is where remote desktop back to the main office through the tunnel comes in nicely.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  7. #7
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    yea, the other use that i could think to do is desktop remote for fix minor problems in the remote office cause im there just once a week and i haven't so many public ip for all computers and in this way its more sure!!

  8. #8
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Hi YeOldeStonecat, im here for asking u on some news problems. Some days ago i insert the new zywall 35 in my network in the main office. Now im trying VPN features between this offices and LAN home's.
    So i was able to create the tunnel with the zywall, in the office, and d-link at home. checking the logs all seems to go well, but there are a couple of things that aren't right: first of all if i try to ping the fix IP of zywall in office it's work, ping works with local IP of LAN interface of zywall and IPs of computer on the office's lan too. But if i try to ping from office to home the only IP that respond is the fix one on the wan interface od dlink, while LAN interface and other ip internal don't answer...I try to check firewall settings on the d-link, but the only thing needed by VPN is a rule, just cheked, and i dont know if i have to do something else on firewall rules!
    The second problem is: at the office i got a server domain (win 2k3) but at home i got only a workgroup. If, in explorer, i use "\\ipaddress of the server\" (or other machine running in the office network) i can access to the shared resources of that computer, but if i try to browse the local net my computer (on home network) find only my workgroup! I have added win 2k3's ip as primary DNS and WINS server in the advanced settings but still doesn't work.

    I hope u could help me again

    Tnx
    FABIO

  9. #9
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    up

  10. #10
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,876
    I'm not sure of the VPN tunnel issue....if I'm reading your setup correctly...you built a "router to router VPN tunnel"? You're not using a VPN client from home, correct?

    I've not built a router to router VPN tunnel mixing brands of routers. In the configuration of the tunnels, from the Zywall...you should have an area where you describe the remote networks IP range.

    As for your name resolution...in the DNS section of TCP properties, you want to enter your DCs full DNS suffix. However....try to focus on remaining IP based. Your server has a static IP..there's usually no need to worry about name resolution. You don't want to aim all your home LANs DNS requests to your DC at the office....as you'll have slower local name resolution and internet surfing as all those DNS requests have to go through the sloooooow VPN tunnel.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  11. #11
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Yes i created a tunnel router-to-router (i have prepare both routers to act as server for remote vpn clients too) and it's connected correctlly. The strange thing is that from site A (where the router is the Zywall) to site B (where the router is the D-link) i cant ping nothing, neither the LAN ip of the router, neither ips of internal computers, instead from B to A i can ping, browse shared folders.
    Have some ideas on which could be the cause of this block? On the configuration of D-link there is only one setting for VPN rules and it's checked, i cant understand why i cant ping the internal ip of the router while i can on the wan ip!...

  12. #12
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    I'm confused. I thought you said both sites had Zywall routers? What's the D-Link?
    Observe everything...focus on nothing..

  13. #13
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Quote Originally Posted by twwabw
    I'm confused. I thought you said both sites had Zywall routers? What's the D-Link?
    Yes it's true both sites got ZyWALL 35 UTM, but the second one, that has to be installed in the branch office, will be operative on next week.
    The Dlink is the firewall of my home network and i used it for my test with vpn and zywall!

  14. #14
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    I'm sure you can't browse your home network, but you should be able to ping it. How is the tunnel set up between the Zywall and the D-Link? Which model D-Link so I can find some info on it?
    Observe everything...focus on nothing..

  15. #15
    Junior Member
    Join Date
    Aug 2006
    Posts
    16
    Quote Originally Posted by twwabw
    I'm sure you can't browse your home network, but you should be able to ping it. How is the tunnel set up between the Zywall and the D-Link? Which model D-Link so I can find some info on it?
    Why u say that u r sure about browse my home network? The d-link is the DFL 700 (with last firmware).

    On the ZyWall:

    - "Gateway Policy Information": the two fixed ips for local and remote gateway;
    - "Authentication Key": i'm using PRE-SHARED KEY on both devices, obviuslly the same key on both
    LOCAL ID TYPE and PEER ID TYPE are setted to IP with the same values as gateway policy;
    - "IKE Proposal": "Negotiation Mode" is set to "Main", "Encryption Algorithm" is set to "3DES", "Authentication Algorithm" is set to "SHA1", "SA Life Time" is set to 28800 seconds and "Key Group" is set to "DH1";
    - I have also checked options for keeping alive the connections after they end their lifetime and the ability to send NetBIOS broadcast Traffic Through IPSec Tunnel;
    - "Local Network" is configured to act as subnet (192.168.1.0/255.255.255.0) and i left "0" for ports range that means "all ports";
    - "Remote Network" configured as a subnet (192.168.0.0/255.255.255.0) and "0" for ports range;
    - "IPSec Proposal": "Encapsulation Mode" is set to "tunnel", "Active Protocol" is "ESP", "Encryption Algorithm" is "3DES", "Authentication Algorithm" is "SHA1", "SA Life Time" set to 28800 and "Perfect Forward Secrecy (PFS)" is set to NONE.
    - I had checked "Enable Replay Detection" too (it should be drop all packets of timed out sessions)

    I have replicated the same settings on the D-Link, otherwise the tunnel between two crouters doesn't created!

    PS: i got an error in the logs of my zywall, it says: "Packet without a NAT table entry blocked: ICMP(Communication Administratively Prohibited)" but i understand wat it means but dont know WHERE it appears and if it blocks my comunications via VPN to zywall to dlink!...

  16. #16
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    Let me poke around a little and get back.
    Observe everything...focus on nothing..

  17. #17
    SG Enthusiast twwabw's Avatar
    Join Date
    Nov 2000
    Location
    LeRoy, NY, USA
    Posts
    2,472
    Well, afraid I'm not much help to you. Dowloaded and went through the D-Link manual, but that is one of the most vague and sketchy manuals I have ever seen. Wow. They pretty much just broad-brush all their terminology, no screen shots, etc. But it looks like you have to allow ping through the D-Link, which would also explain ICMP alerts, since that's basically what ping is.
    Observe everything...focus on nothing..

Similar Threads

  1. Connecting 2 VPN networks in one site.
    By laberlaber in forum Wireless Networks & Routers
    Replies: 1
    Last Post: 11-20-06, 08:37 AM
  2. Vpn Site To Site Cisco Firewall
    By sonn33 in forum Networking Forum
    Replies: 3
    Last Post: 07-20-06, 05:58 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •