Topic: Permanent VPN connection from Router

[kevinb]

Hello everyone,

I am posting this here because I believe I may need a contrib to do this.

I am new to this type of VPN. What I am trying to do is have a permanent VPN connection from a satellite school to the main school. The main school is running SME 7.2 (and everyone loves it). The satellite school has a D-Link DIR330 router connected to their own internet connection.

The router has a VPN client built in. I would like to have the router create a permanent VPN connection to the SME server. I would like to have the SME shared folders be mounted by the satellite school’s Windows XP clients. I would like to have the satellite schools internet traffic NOT go through the SME server. Clients on the satellite campus must be visible from the main campus and vice versa. If it is possible have the satellite clients join the main domain.

When I enter the setup on the router (http://support.dlink.com/Emulators/dir330/vpn_pptp.htm) I see an entry for: 
   Authentication Protocol :    PAP,  CHAP or  MSCHAP v2    # What should I pick here?
   MPPE Encryption Mode :     RC4:  None,  40 bit or  128 bit   # I believe 128


Will this work? Is there any issues I need to be aware of with this kind of setup? Does anyone have this type of setup already working?


Thank you for your help


Kevin

[mmccarn]

You'll have to:

a) configure both networks with different local network addresses, i.e. SME network -> 192.168.1.x; d-link network -> 192.168.2.x

b) enable PPTP VPNs on the SME

c) configure the d-link network (192.168.2.x) as a "local network" on your SME.  Tricky, as you have to specify the d-link VPN IP as a gateway IP here, and I think it may be tricky getting the d-link to always pick up the same IP address.

d) configure the d-link to use it's normal gateway for "0.0.0.0/0", but to use the SME VPN IP for traffic addressed to 192.168.1.x (this may be automatic, painful, or impossible - I've never worked w/ d-link's VPN client)

Once you've done all that, I'd try MSCHAP authentication, or MSCHAP v2 - since I have no trouble connecting from a windows client to a SME server.

Also, note that there are posts from time to time of folks having PPTP trouble with SME - I'd test your VPN from a Windows client before spending a long time working on the D-Link.

[kevinb]

Thanks mmccarn,

It is more challenging than I thought. The D-link DIR-330 only offers a IPSec client and no PPTP client (it does have a PPTP and IPSec server). From what I have read I need both IPSec boxes to have static IP's for IPSec tunnel to work (please jump in and correct me if I am wrong). Static IP is not an option for the D-link end. Dynamic DNS is.

My other option is to setup a SME box instead of the D-Link. But, again, from what I have read I would need a static IP.

Does OpenVPN require a static IP on both ends?


I would sure like to here anyones ideas about this.



Kevin

[mmccarn]

Sounds like a puzzler.

I've gotten IPSEC VPNs to work once - using Netgear routers, not SME.  It made my head hurt...

The SME IPSEC Howto (http://wiki.contribs.org/Ipsec) assumes that you're using fixed public IPs, so anything you do will involve learning enough about IPSEC to add a considerable section to that Howto...

Is there any chance you could replace the D-Link with something else?

[kevinb]

I could replace the D-Link as long as it did not run into the hundreds of dollars.

Are there any recommendations?

A router with a PPTP client sounds like the hot ticket but I have not found any of those.


We currently use PPTP with Windows XP clients with out issue with the SME server at the main site. What ever we do with OpenVPN or IPSec should not break this.

At this point I am hoping that OpenVPN will do the job with a dynamic IP (with Dynamic DNS too?) on one end but I have not been able to find any information on this yet.


Thanks

Kevin

[russellb]

OpenVPN certainly works with dynamic DNS (at least it does on my IPCop boxes with static IP at one end and dynamic at the other and a DynDNS.org account).

SME has built in support for DynDNS.org, see

http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Appendix#Dynamic_DNS_Services,

so there appears to be no reason this wouldn't work SME->SME. If the remote SME is just providing internet access and VPN services you should be able to utilise a fairly low powered/cost box.

HTH
Russell

[kruhm]

Knuddi uses Smoothwall: http://forums.contribs.org/index.php?topic=39201.0

If he does it, I would give it a thought.

[kevinb]

It looks like Smoothwall needs a static IP on both ends too.

SmoothWall Express enables you to create Pre-Shared Key, IPSec VPN connections to other
SmoothWall Express systems or IPSec-compliant hosts which have static IP addresses.

I think I will be having to figure out how to get OpenVPN to work.


Kevin

[kruhm]

I didn't realize you have dynamic ip's.

"I would like to have the SME shared folders be mounted by the satellite school’s Windows XP clients."
Without some type of higher-end connection (T1 or above), most likely what you are trying to accomplish isn't going to work as aspected. You're not going to be able to transfer that much data over a low-end connection.

[danfulton]

I've just seen this topic, I needed to get a similar setup to work, to control a door access system, low traffic so ADSL links were fine.

Have a look at

http://bugs.contribs.org/show_bug.cgi?id=1230

reply 6, this enables you to set a static IP to a VPN user, very handy!