Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: jankowskid on March 13, 2009, 10:23:39 PM

Title: Multiple Site SME installs & remote office VPN solution (OpenVPN, IPSec?)
Post by: jankowskid on March 13, 2009, 10:23:39 PM

It has been a while since i posted, and this little problem of mine is making me a bit crazy.  Some background...

I currently have 4 sites each with a 3rd party firewall (smoothwall) as the default gateway per location.  3 of the sites have SME servers behind those firewalls.  The fourth site is just a remote location that serves up nothing but needs access to the other three simultaneously.  Each smoothwall installation has an IPsec tunnel to the other three, so no matter which location you are at, you can get to any of the others.  It is working great, but I want to trim down on the hardware/electricity use.

                        (site 4)
                      workstations
                           |
                           |
                       smoothwall
                           |
     (site 2)              |              (site 3)
SME2 --- smoothwall --- INTERNET --- smoothwall --- SME3
                           |
                           |
                       smoothwall
                           |
                           |
                          SME1
                        (site 1)

What I want to do is dump the use of the smoothwalls in front of the SME servers and move to a VPN install on the SME boxes themselves (they will all be in server-gateway mode).  I want to use the main location (call it site1 from here on out) as a central connection point for them. 

                        (site 4)
                      workstations
                           |
                           |
                       smoothwall
                           |
     (site 2)              |              (site 3)
SME2 ------------------ INTERNET ------------------ SME3
                           |
                           |
                           |
                          SME1
                        (site 1)   

That said, I decided to try the hard part first and have been experimenting with different IPsec, OpenSwan, and OpenVPN confgurations, trying to make the one site (site 4) with no SME Server in it connect via smoothwall using these various VPN technologies (of which it does support in one way or another). 

I was extremely close using smoothwall's built in IPSec implementation and Openswan on the SME server (as well as with the the IPSec kernel modules and Racoon on SME), but i was having issues with NAT on the SME side, and was lost in the masq templates trying to find how to disable NAT for the connection.

Also, I followed the instructions to install OpenVPN on SME and configured it as a the VPN server, installed the smoothwall OpenVPN (Zerina) offering and tried to configure that using the generated client keys from the SME Server instance of OpenVPN, but it would never connect. 

All the SME servers are 7.4.  I would really appreciate any help/advice/pointers that can be offered... Thanks.

Title: Re: Multiple Site SME installs & remote office VPN solution (OpenVPN, IPSec?)
Post by: David Harper on March 14, 2009, 12:35:02 AM

Smoothwall is designed for exactly this kind of thing, while SME Server is ... well, not, although it can do it with some contribs and a lot of heartache.

IMHO, don't fix what isn't broken.

Title: Re: Multiple Site SME installs & remote office VPN solution (OpenVPN, IPSec?)
Post by: johnp on March 14, 2009, 01:37:10 AM

I did something similar with a Mitel SME Teleworker server. I had 2 remote sites with Netgear FVS114 Firewall VPN routers. I setup a tunnel between the remotes and a tunnel back to the main site's Teleworker Server (in server-gateway mode) from each. I think they use openswan on the Teleworker.

While I was strictly routing VOIP voice traffic, the concept is the same.

Title: Re: Multiple Site SME installs & remote office VPN solution (OpenVPN, IPSec?)
Post by: jankowskid on March 15, 2009, 12:58:29 AM

Thanks for your opinions on this.

Quote from: David Harper on March 14, 2009, 12:35:02 AM

Smoothwall is designed for exactly this kind of thing, while SME Server is ... well, not, although it can do it with some contribs and a lot of heartache.

IMHO, don't fix what isn't broken.

I do believe you are right , I think i might install vmware server on the sme boxes, run them in server only mode and throw a vm instance of smoothwall on there and get the same results. I 'think' that is what i am going to do, since i am not exactly looking for any additional heartache in my life. 

I will say that this aspect (easy and compatible VPNs) of SME, if ramped up, would be a fantastic asset to the distribution.

Quote from: johnp on March 14, 2009, 01:37:10 AM

I did something similar with a Mitel SME Teleworker server. I had 2 remote sites with Netgear FVS114 Firewall VPN routers. I setup a tunnel between the remotes and a tunnel back to the main site's Teleworker Server (in server-gateway mode) from each. I think they use openswan on the Teleworker.

While I was strictly routing VOIP voice traffic, the concept is the same.

Yeah, i had seen alot of people have success with some of the "nicer" routers out there connecting to a central location as you mention.  And they are usually using either Openswan or OpenVPN for that implementation.  I think my problem is that all the my sites are net2net types of tunnels and routing and disposal of NAT for those subnets just becomes, well.. like David said....heartache.  And I don't mind saying that it is my fault, for not doin' some learnin' on iptables commands and such.  It is quite funny how one minute you might consider yourself a guru and then a problem later you are a noob...