networking / vpn / ip conflict?

[James W. Long]

Hi All:

This is not the same question as I asked in my last post.

Larger networking problem. I'm in the design phase of connecting

135 offices to
our corporate office.

Each office has 4 win2k workgroup computers networked together.
One of these is special.
I'll call that special one a "remote office server"
{even though its not a server},
and I'll cal the other three
" remote office networked computers".

we want each remote office to establish a full time vpn link
with coprorate. so thats 135 vpn links to corporate.

ultimately we want to be able to get to the files and shares
on the remote office server and the files and the shares on
the remote office networked computers. but lets not
go all the way there just yet.


I think this is a router to router configuration,
where all the security and encryption is between the the
routers.

everyone will get addresses by DHCP at corporate
everyone registers in WINS and DNS.

when the "remote office servers" vpn's in to corporate,
they appears on our local lan.

and thats were the dillema begins.

our corporate lan is a 10.0.0.x with a mask of 255.255.255.0
so thats 10.0.0.0/24 I think.

We dont have room in the corporate lan for 135 more clients.

so I was thinking that I might want to go to
a 10.0.0.0./16 or 10.0.x.x with a mask of 255.255.0.0.

this mask would go on all the servers and all the clients
and our vpn/firewall at corporate to give us a {much} larger
address space with which to accomodate the 135 new
vpn clients (plus plus and then some and thats okay)

the current IP config at each office is
4 computers with IP's of 10.0.0.1,10.0.0.2
10.0.0.3 and 10.0.0.4 (I did not set it up)

the remote office server is 10.0.0.1 and it vpn's in here
to corporate and gets a dhcp address
in our subnet just fine.

I already have clients/and/or/servers on
10.0.0.2 here at corporate

there is no way I can ping a remote office computer
at 10.0.0.2 is there? didnt think so.

Second Question:

How can I set up the
{etire}?
address scheme
so that I can get to the remote office computers
thru the vpn tunnel established from the
remote office server to corporate?

for instance
if I set office 52 up as
server 10.0.52.10
computer1 10.0.52.20
computer2 10.0.52.30
computer3 10.0.52.40
gateway: 10.0.52.1
mask 255.255.0.0

and corporate was
server 10.0.0.9
gateway 10.0.0.1
mask 255.255.0.0

if office 52 established a vpn tunnel in here
then I could remote desktop to office 52
and see office 52 in network places from corporate
see its shares on its server

I dont think I can ping the remote office computer at 10.0.52.20
from corporate because the router wont go there

but, having a remote desktop session to
the office 52 server I am then on thier network,
I could then ping for instance remote office computer
at 10.0.0.20 and it would then work
right? or I get to its administrative shares?
(goto to run, type dir \\server1\c$)

Any advice is much appreciated!

Thank you in advance,
James W. Long

That mask would have to be everywhere, right?

 

[Phillip Windell]

everyone will get addresses by DHCP at corporate
everyone registers in WINS and DNS.

DHCP? That is a disaster waiting to happen. VPN links are very "fickle",
they go down more often than any other type of link except maybe phone
modem dialups.

You don't want to leave client machines with no way to get an address and
function if the VPN goes down before they start their machines. Either have
a DHCP at each location or make the remote locations static IP#s. Remote
sites need to be a least partially autonomous, they need to function at
least in some limited way even if they get cut off from everyone else.

when the "remote office servers" vpn's in to corporate,
they appears on our local lan.

and thats were the dillema begins.

our corporate lan is a 10.0.0.x with a mask of 255.255.255.0
so thats 10.0.0.0/24 I think.

We dont have room in the corporate lan for 135 more clients.

You have room for 65,024 clients (give or take a few). You cannot have the
remote locations running the same subnet with the VPN link. Every site must
be a different subnet. VPN Device are also "routing devices" and routing
device require a layer3 distinction between end points,...aka "subnets" or
"networks". With a 24 bit mask you have 254 hosts at each site.

All using 255.255.255.0 mask
Corp 10.0.0.x
Site1 10.0.1.x
Site2 10.0.2.x
Site3 10.0.3.x
Site4 10.0.4.x
Site5 10.0.5.x

And so on....

We run over 20 sites with VPN, with the Corp HQ in the logical "center" with
each site being a "spoke" of the wheel. All our sites are autonomous and
the world does not come to an end when the VPN goes down,....and it *will*
go down sooner or later. Design your system with the fact in mind that the
VPN will go down a *lot*,...I'm not saying it will really be that bad, but
pretend it will be when you work out your design.

 

[James W. Long]

Dear Phillip:

I should use separate subnets for each office:
these addresses are fixed static at each office like so:

Corp 10.0.0.x
Site1 10.0.1.x
Site2 10.0.2.x
Site3 10.0.3.x
Site4 10.0.4.x
Site5 10.0.5.x
all using 255.255.255.0 mask, like you said. (/24)

I need static routes at corp to get to
site1 and site2 etc correct?.
So it would be something like
route 10.0.1.x netmask 255.255.255.0 gateway 10.0.0.1
route 10.0.2.x netmask 255.255.255.0 gateway 10.0.0.1
route 10.0.3.x netmask 255.255.255.0 gateway 10.0.0.1
etc,
and I could only reference those machines by
\\servername\sharename
or
\\ip\sharenme
on the run line

for instance
dir \\10.0.1.x\c$

does that all sound about right?

Thank you in advance
All advice welcome!

James W. Long


--------------------

 

[Phillip Windell]

Corp 10.0.0.x
Site1 10.0.1.x
Site2 10.0.2.x

I need static routes at corp to get to
site1 and site2 etc correct?.
So it would be something like
route 10.0.1.x netmask 255.255.255.0 gateway 10.0.0.1
route 10.0.2.x netmask 255.255.255.0 gateway 10.0.0.1
route 10.0.3.x netmask 255.255.255.0 gateway 10.0.0.1

No. Picture a spoke-wheel with a hub. The Corp is at the Hub, each spoke is
a VPN link and the Sites are out at the end of the spoke (there's no outer
rim). From the Corp perspective all the sites are "directly connected"
(meaning just one jump away, no extra routers in between). "Directly
Connected Networks" do not require static routes. The VPN Router at Corp
already knows where all the other LANs are because they are connected
directly to it.

Static routes are only required for networks that are more than one "hop"
away from the starting point. This would be the case for a Site that wants
to contact another Site because it is one "hop" to Corp and then a second
"hop" to the target Site (= 2 hops). Now you don't need a Staic route to get
to Corp, but you do need one to get to another site on the other side of
Corp. However you do *not* need 134 Static routes, you just create a single
Static route by rolling back the Mask to either 16 or 8 bits. I'd prefer 8
for broader coverage, but either will work.

route 10.0.0.0 netmask 255.0.0.0 10.0.0.1

Assign this same "route" within the VPN Router at each Site (not at Corp).
Even though the Site's own subnet is included in this route, it is smart
enough not to try to send its own subnet over the link,..SO,.. this tells it
that any destination that begins with 10.*.*.* (except its own) gets passed
to the VPN Router at Corp. It is up to Corp to know what to do with it after
that (which isn't a problem).

and I could only reference those machines by
\\servername\sharename
\\ip\sharenme
for instance
dir \\10.0.1.x\c$
does that all sound about right?

Sounds fine.