VPN, routing, site to site.. Getting started..

I’ve got to set up a routed site-to-site VPN. With NetWare I found it
easy; with SLES I’ll admit to being a bit confused. The SLES 11
Security documentation (Chap. 16) seems a bit lean. The OpenSUSE site
appears to be where I can download all the openvpn packages I’ll need
(just guessing here). The openvpn web site appears to be trying to be
all things to all people; got a bit lost.

I have a remote office (20 people on their own private network
(192.168.10.0/24)) NAT’d (SLES11 iptables script providing NAT and
firewall services) to the Internet (standard ISP issued IP4 address on
the Public side).

Main campus, static IP4 addresses on the public side, hundreds of
clients on different subnets NAT’d to a static public IP4 address
(SLES11 iptables script… ).

I want the remote office to appear as another subnet on the main campus

  • routed VPN.

Perhaps I’m making a mountain out of a mole hill but I’m having a
difficult time finding some good guidance here.

Would anyone help point me in the right direction?

Thanks.

Bob

On Wed, 09 May 2012 06:42:32 +0000, Bob wrote:
[color=blue]

I want the remote office to appear as another subnet on the main campus

routed VPN.

Perhaps I’m making a mountain out of a mole hill but I’m having a
difficult time finding some good guidance here.

Would anyone help point me in the right direction?[/color]

So basically you want to do a layer 3 VPN (two subnets routed)?

I just set something like this up (though using client/server and layer2,
but using openVPN) myself. OpenVPN can be a little confusing because
it’s so flexible.

While the configuration files would be different, a good primer is the
setup guide for openVPN on OpenWRT - it can be found at http://
wiki.openwrt.org/doc/howto/vpn.openvpn

It’s not geared towards SLES, but should give you a good idea of the
steps necessary to get this working. Note that doing this with SLE will
turn your server into a router, which may not be entirely desirable - you
may instead wish to implement the VPN solution at the router itself (I
thought about setting up my VPN using the server, but ultimately decided
my router was a better choice, esp. since it runs openwrt).

Jim


Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner

Hi Bob,

I’ve implemented these type of setups with IPSec (strongswan) and found that to be fairly easy… configure the tunnel, set up the routing, worked. OTOH, making it work nicely can be more problematic and needs a lot of thought: Do your remotes use their “local” internet access to get to targets not within the main campus net or is all traffic to be set to the campus first, i.e. to use a central firewall? How do you handle disconnects/reconnects? Any impact of the encapsulation (payload size shrinks accordingly and sometimes automatic MTU adjustments don’t work)? Do you want/need remote services/servers so your office can basically operate while the tunnel is down (ie DNS, web proxy, …)? What about security, can you “trust” the remote office machines and router like you trust your on-campus systems, or do you need to implement IP access restrictions/DMZ/…? And so on - but all that is after having set up the tunnel.

With regards,
Jens

The remote office will have less than ten users and they will be
trusted. In other words they’ll have direct unfiltered access to the
Internet. They’ll only use the VPN for accessing main campus services
(Email, database, storage, etc…). They’ll be using the main campus
DNS server (may replicate it to their location at a later date), will
have their own DHCP. Main campus is 10.0.0.0/8; remote office will be
192.168.59.0/24; tunnel will be using the 172 address space. I will
configure the remote office with its own Firewall. I expect the VPN to
be a static P2P setup. I have seven static public IP addresses
available for the remote office, one of which is the entrance, the other
six have nothing to do with the internal network or VPN (they are
“telephone numbers” used by Video Phones for the deaf). No remote
servers in the remote office, just people with their laptops. Like I
said earlier I may put a slave DNS server over there but will have to
think about that. If the tunnel went down then I’d want them using the
ISP’s DNS server, not the main campus’s. However, if the tunnel went
down I suspect their problems would be such that they couldn’t even get
to the Internet.

This appears to be fairly easy; a lot of good examples at openvpn.org.
If I’m able to pull this off, perhaps my notes might make a Cool
Solution article. Haven’t been able to find a nice neat article
covering SLES, init.d script to start/stop, and set up a P2P using
OpenVPN. Just generalities.

Certainly have not considered MTU adjustments. I’ll be happy it works
and I can take a vacation.

Bob

On 5/11/2012 8:24 AM, jmozdzen wrote:[color=blue]

Hi Bob,

I’ve implemented these type of setups with IPSec (strongswan) and found
that to be fairly easy… configure the tunnel, set up the routing,
worked. OTOH, making it work nicely can be more problematic and needs a
lot of thought: Do your remotes use their “local” internet access to get
to targets not within the main campus net or is all traffic to be set to
the campus first, i.e. to use a central firewall? How do you handle
disconnects/reconnects? Any impact of the encapsulation (payload size
shrinks accordingly and sometimes automatic MTU adjustments don’t work)?
Do you want/need remote services/servers so your office can basically
operate while the tunnel is down (ie DNS, web proxy, …)? What about
security, can you “trust” the remote office machines and router like you
trust your on-campus systems, or do you need to implement IP access
restrictions/DMZ/…? And so on - but all that is after having set up
the tunnel.

With regards,
Jens

[/color]