Menu
What's new
By:
Filters Better Search

VPN Configuration using IPSec

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

travisco_nabisco

Regular Contributor
I am currently working on a project at work that involves placing a cellular modem and router on a train with the requirement that someone on a corporate network be able to connect to the train using an IPSec VPN connection.

The device we have on the train will be configured to accept VPN connections from the WAN IP of the corporate network.

Our current setup, which doesn't quite meet all the requirements, is that the device associated with the WAN IP of the corporate network, a VPN router, is responsible for opening and closing the VPN connection. This puts in a limitation that only a single user can connect to a single train at a time.

I need to come up with a configuration where more than one VPN can be used at a time. ie there will be one user connected to one train, and at the same time another user connected to another train. Each train has identical static IP assignments.

Is there a way to have the on train VPN router accept a connection that initiates directly from a computer on the corporate network?

Here is a general diagram of what I am trying to create.
 

Attachments

  • vpn diagram.png
    vpn diagram.png
    35 KB · Views: 593
Our current setup, which doesn't quite meet all the requirements, is that the device associated with the WAN IP of the corporate network, a VPN router, is responsible for opening and closing the VPN connection. This puts in a limitation that only a single user can connect to a single train at a time.
Click to expand...

Having a router that only supports a single VPN tunnel is a fairly significant limitation for your scenario. Spend a little money, get a Cisco ASA 5510 or equivalent. Configure a tunnel for each train. On each train, the remote network should be the corporate network, or whatever IP they NAT to.

Ensuring the cellular modem retains the same public IP could be a problem; I would discuss options with your provider.
 
Thanks for the reply.

The issue isn't that the VPN router doesn't support more than one tunnel, it is that every train has the same set of IP addresses for the internal portion of the train's LAN. If I open a tunnel to more than one train there will be an IP conflict, unless I am missing something.

We are specing that the cellular modem have a static IP.
 
travisco_nabisco said:
Thanks for the reply.

The issue isn't that the VPN router doesn't support more than one tunnel, it is that every train has the same set of IP addresses for the internal portion of the train's LAN. If I open a tunnel to more than one train there will be an IP conflict, unless I am missing something.

We are specing that the cellular modem have a static IP.
Click to expand...

That's fairly easy to work around--NAT the train network to the public IP, setting up port forwarding as necessary. If you have multiple devices on a train that use the same port, and redirection isn't an option, you can (from the corporate network) NAT the outside local IP, forward that packet through the VPN, and have the train network handle the translation to the device IP:port.
 
But you can't have the same subnet on the private side of the NAT, right?
 
thiggins said:
But you can't have the same subnet on the private side of the NAT, right?
Click to expand...

Sure you can. Each train would propose its public IP as the secure network (public IP/32 instead of 192.168.0.0/24 or whatever).

Train A: Public 1.2.3.4 Private 192.168.0.0/24
Train B: Public 2.3.4.5 Private 192.168.0.0/24

On each train, the Foo server is NAT'd to public IP:port 80. A device on the corporate network would access Train A's Foo server via 1.2.3.4:80.
 
Hmmm. Why have I had trouble in the past when setting up test VPNs with two routers with the same private IP?
 
I wouldn't be able to give a definitive answer without more information on the scenario.

If it's something like:
Routers A and B cabled together via their WAN ports
LANs use the same subnet

A laptop on Router A LAN attempt to connect to a NAS on Router B would fail as the laptop would incorrectly determine (based on the IP) that the NAS is on the same broadcast segment instead of forwarding the packet to the default gateway.

This scenario is different from the OP's problem since 1) although there is IP overlap, communication is corp>train rather than train<>train (so no two overlapping subnets communicate with each other), and 2) the destination IP would be the train's public IP instead of an IP on the train's internal subnet.
 
You must log in or register to reply here.

Similar threads

Viktor Jaep
VPNMON VPNMON-R3 - Early, early alpha discussion, progress & screenshots
Replies
17
Views
1K
Viktor Jaep
Viktor Jaep
T
GT-BE98 Pro, IPsec problem
Replies
0
Views
521
terrierl
T
jetpack42
Correctly using VPN Director?
Replies
2
Views
618
jetpack42
jetpack42
Z
VPN Server on port 53/443?
2
Replies
26
Views
2K
Maverickcdn
Maverickcdn
SamCarey
ASUS router blocking VPN (Error Code 809) - L2Tp/IPsec - TUF-AX5400.
Replies
0
Views
618
SamCarey
SamCarey
Similar threads
Thread starter Title Forum Replies Date
Yafandas Trying to monitor websites visited but VPN being used. Other LAN and WAN 10
D Testing firewalls, WireGuard VPN via pfSense, and other Other LAN and WAN 2
K Tutorial Distributel (Bell) PPPoE passthrough/bridge without SFP, using Nokia ONT Other LAN and WAN 22

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 829 (members: 19, guests: 810)
Top