Hello!

I've bought two routers with built in VPN. The idea is to be able to securly reach one LAN from another LAN .

So, if I do this (as an example):
192.168.1.xxx -LAN- (192.168.1.1)VPNFW(1.2.3.4) - I-N-T-E-R-N-E-T - (1.2.3.5)VPNFW(192.168.2.1) -LAN- 192.168.2.xxx
(Two VPN firewalls talking to each other over internet)
...all is fine. Works like a charm.

But now I have run in to a situation where I need to do this (as an example):
192.168.1.xxx -LAN- (192.168.1.1)VPNFW(10.1.2.99) -LAN- (10.1.2.1)FW(1.2.3.4) - I-N-T-E-R-N-E-T - (1.2.3.5)VPNFW(192.168.2.1) -LAN- 192.168.2.xxx
(Two VPN firewalls talking to each other over internet but one is behind another firewall)

1) How do I do this? (Supposing I can get a static IP for "my" VPN FW)
2) What if "my" VPN FW gets dynamic IP from the firewall it is behind?

Ideas of my own.
I) Try to put my firewall on the other firewalls DMZ. This however might not be possible.
II) Let VPN traffic through the other firewall, making a (routing??)-rule that says... Well what?
III) ... ... Don't know...

Any ideas?

Regards
/Jens

Create a static route through the modem to the VPN server.

Find out which VPN protocol you're using for transport - L2TP, PPTP and their associated port.

Could you please describe, in general, what that would look like and how it would work? Does it matter that there's no modem, just a router-firewall connected to the internet?

I guess the routing should be somthing like:
All traffic that hits the first firewall and is of a certain protocol should be directed to the second firewall? Or are we talking some kind of port forwarding here? (Or are they the same?)

/Jens

This post has been edited by jens: 13 Aug, 2008 - 03:45 AM

This is really confusing...
One example (see attachment): What will the be? The actual internet IP address of the first NAT firewall or the IP address of the second firewall (the one with VPN that I'm trying to reach) that it has on the LAN?


/Jens

I'm not sure if I managed to describe my problem. So I made a little drawing (see attachement).

So, what I actually want to do is to remote control PC B from PC A with somthing like PC Anywhere. I have tried this without the "NAT FW X" and it works great. Along came the added complexity that I'll have to put "NAT FW VPN B" behind "NAT FW X" and that really gives me a lot of problems.

NAT FW VPN A (and B ) are Netgear FVS114 VPN firewall switches FVS114 product info
NAT FW X is some (yet unknown brand) firewall that does NAT.

How do I set this up? How shall I configure the NAT FW VPNs? From A's point of view; where is B? At 91.111.222.24 or at 10.1.1.2? What should I tell the NAT FW X in either case? Should I change the setup (if possible - I don't decide about NAT FW X) and put NAT FW VPN B on NAT FW X's DMZ?

/Jens

In the first attached screenshot. With the netgear.

Your WAN address is your Wide Area Network Address (Internet Address)

It should be a static IP address (assigned from your ISP) so that you don't have to reconfigure this everytime your modem restarts.

Your modem is a router and vice versa. In todays era the terms are interchangeable.

Thanks for the info about the modem/router thing.

I'm sorry but I don't understand the quote above. Is my WAN adress the internet address of NAT FW VPN A? The screenshot in the post is while configuring FW A's connection to B. What address should I tell the A VPN that B will be found at?

/Jens

Yes. You WAN is your Internet Address.

It's the address that shows up if you go to a website like:

whatismyip.com

VPN A should be configured for: 91.111.222.24

NAT FW X (as you've referred it) should be configured to forward all traffic on your protocol to: 10.1.1.2

VPN B should be configured to forward all traffic to: 192.168.20.2

This is becoming harder than I thought.

How about puttning VPN NAT FW B on the DMZ of NAT FW X?

Doesn't DMZ let anything through?

/Jens

Problem solved (I think, and hope).

What I eventually did:
Had my employer buy 3 cheap VPN firewalls and made a lab out of them.

PC - FW1(VPN) - FW2 - internet - FW3(VPN) - PC. I substituted internet with a cross over cable ( !) and used fixed IP addresses everywhere. Easy as pie... Just turned on the "Allow VPN passthrough" on FW2 and everything ran smoothly.

Since I'll have a different FW as FW2 IRL I also tried to get it working without "Allow VPN passthrough" and instead use port forwarding or putting the FW1 on FW2s DMZ - No luck.

This makes me wonder about a new (potential) problem or at least about somthing I don't understand:

How does FW2 know where to send the VPN connection since I don't tell? Are the VPN packages (the traffic) addressed so that the FW2 will send them to their destination? What if I have two VPN FWs behind FW2 but on different sub nets? ...but on the same sub net?

/Jens

Basically you set up a VPN connection like any other service.

The connection will only work one way.

From point A to point B. Both being connected to the internet.

Point A will need the internet address (WAN address) of point B.

If however you have point C behind the firewall of point B.

VPN router B will have to forward all information sent on a 'port' to VPN router C. Where it will be picked up and deciphered as if it was sent to it directly.

hello...

i have 3 differnt network in difftrent place i want join them frm remote destop,wht is the prossedure for joining this diffrent network...
which sofftwer i will use for tht,