Let's say there are two locations. Both locations have their own fast Internet connections.
How do you join these two networks together such that every computer can see every other computer?
Do you need a domain controller, or can you do this with workgroups?
EDIT
The obvious solution seems to be VPN, but can VPN be implemented on the routers only? Can the computers on the network be configuration free?
-
The standard solution is to use use a VPN between two routers, and you adjust the routing so all LAN-to-LAN traffic crosses the VPN.
Domains/Workgroups are really not related at all. A more relevant bit of information would be what type of routers both sites have, and if they can create L2TP, PPTP, or some other encrypted tunnel, or if they are running a standard OS like Linux where you can install software. There are many routers that already support VPN connections. Even some home-routers can do it if you install custom firmware. You can create a VPN between your servers, though getting the routing right may be a bit tricky.
I really like OpenVPN as a solution if have s system that will support it. Many other good VPN solutions exist.
The obvious solution seems to be VPN, but can VPN be implemented on the routers only? Can the computers on the network be configuration free?
These completely depends on what type of router you have. If your router is a computer running Linux then yes. If your router is an inexpensive broadband router, then maybe your current hardware can do this. If your current hardware can't do this, you can certainly buy routers that will.
The clients really shouldn't need to know anything about the VPN.
Pyrolistical : Is this a feature on the router, or do you need to run you own gateway?Michael Kohne : You can get routers that do this, or you can buy separate VPN appliances that do the job.squillman : Agree. Use a router or VPN appliance / IPSec gateway device. This is also called a site-site VPN.squillman : Er, that is a router that would support site-site VPN tunnels.From Zoredache -
OpenBSD and IPSEC. Use an OpenBSD server at the respective ends of the link to act as an IPSEC gateway. It is very easy to setup.
samt : IPSEC is great (and apparently easy to install in OpenBSD) if both ends are using Public IPs. If you're internal firewall (or router) gets NATed, then you're more likely to get a better solution using something like OpenVPN (which also works well in OpenBSD.)From pdxpatzer -
While the "open" suggestions are great, if you're asking this question, my guess is that you're unlikely to have success implementing them.
Save yourself alot of trouble and pick up two routers with VPN capabilities from a vendor like Linksys, Netgear, D-Link, or even Sonicwall. They are very easy to set up and will connect two networks together securely.
Once that is done, whether the computers "see" each other, is very dependent on the network being run and how that traffic passes over the VPN. Windows Workgroups are broadcast based systems which may interfere with the "network neighborhood" showing all the systems. Use of "lmhosts" files can help with name resolution. This is typically what domains are used for along with trusts between domains if they are different. By having a central registration for computers (Active Directory and DNS), they are able to "find" each other without configuring name resolution on each machine.
Pyrolistical : I hate workgroups, so I just use fixed ips and use thatFrom Kevin Kuphal -
When you setup a VPN connection, you probably want to have each location with its own subnet to limit the broadcast domain. Why clog your limited bandwidth connection with extraneous traffic?
Your router/vpn devices should have routes to the other locations, just setup the local DNS servers to address the machines the "other" side.
From David Yu -
VPN tunnels. I prefer hardware based VPN, this is at router level. There are many out there from very cheap to very expensive. On the cheap side there is Linksys, DLINK and on the other side you have Cisco, sonicwall and others.
The expensive routers allow more configurations for routing and so on.
Here is the catch...your VPN is only as efficient as the lines supporting the tunnels, for heavens sake, please don't try to load group policy from a domain controller down to a client half way around the world over a 512KB line.
Also try to control your broadcast traffic accross network if both sites will have different subnets.
Good Luck!
From Saif Khan -
The obvious solution seems to be VPN, but can VPN be implemented on the routers only?
It depends what your routers are. A lot of low/mid range routeurs are able to act as VPN server/Client. If your router are some Unix box it shouldn't be too hard to configure OpenVPN on them.
If your computers are running Windows, you may want to configure a Wins server on each site. Again, an unix box could do the stuff using samba.
From Benoit -
We have this exact scenario with 4 sites accross the UK.
Each site has a draytek VPN device that are a few hundred quid.
They are all connected to one another by VPN and it works like a charm.
pjc50 : +1 for Draytek - their stuff works very well. I don't know what protocol it is but the configuration is pretty painless.From Martin -
This kind of configuration has been used for years.
Establish VPNs between sites. Then enable a dynamic routing protocol to share network information between the sites.
In my experience, the routers will have some kind of virtual Point-to-Point link between them, perhaps a GRE tunnel or L2TP. The dynamic routing protocols treat this link like any other interface.
There are some vendor/implementation specific configuration issues with the VPN configuration - consult the documentation, the vendor's support organization, or describe what products you are using.
One key point relating to network design - you need to treat all the sites as part of one large network. For example, you can't configure all the remote sites to have a 192.168.1.0 subnet. Rather, you might be able to get such a nightmare to work with NAT and with a very convoluted routing configuration, but it is so much easier to design all the sites as being part of one network space.
From EricJLN -
If the WAN-connecting routers on both sites support it, an IPSEC VPN sounds like the sensible option. Alternatively, a firewall or dedicated VPN-termination box (and possibly some static routing) should make it transparent to the individual computers that you're hauling the packets across a VP{N.
From Vatine -
can VPN be implemented on the routers only? Can the computers on the network be configuration free?
Yes. Assuming reasonable routers and a reasonable network layout. If your sites are all sharing the same IP range (i.e. they are all using 192.168.0.0/24 and therefore overlapping) then you'll have to do full NAT and things get messy.
If you provisioned each site in its own subnet, then this is simple, and your only considerations are:
- minimising traffic over the VPN
- security of the VPN (i.e. use the right type of VPN)
- integrating systems across the VPN (i.e. cross-subnet Windows network browsing)
Antoine Benkemoun : +1 for full NAT : Things get REALLY messy.From tumbleweed -
A VPN, as everybody else has mentioned is the way to go.
I humbly suggest monowall as being the quickest way to set up a dedicated point to point VPN.
The most common issues with VPNs are incorrect subnets and gateways.
From Matthew -
How about a KIV-21? It is a stand-alone network incryptor. You put one on each network, and everything between the two networks is encrypted.
- Easy to setup
- Very secure
- Very good training available
However
- Expensive
- Purchase may be restricted
http:// gateway.viasat.com/_files/KIV_21_01.pdf
From Chris Mc -
There are lots of good VPN solutions out there, but sometimes you need something quick and dirty. You can set up a VPN using PPP over SSH. This solution has lots of drawbacks but the advantage is that it needs no special tools or programs, just standard ssh and ppp. It could probably work on Windows too with a little tweaking.
From Mr. Shiny and New -
I've been using Untangle (a linux distro from www.untangle.com) which has OpenVPN as a built-in option. It also has many other great features. You would setup an Untangle box on each end and build a tunnel between the two.
From Corey -
can i connect those 2 networks as all teh pcs on each network can ping the other pcs while i am connecting the them with a vpn by hamachi on 2 pcs? as i don't have access on the routers?????????????????
From Amr
0 comments:
Post a Comment