Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite
-
At long last the ASA's have been removed from my company. :grinning_face_with_smiling_eyes: The next challenge was getting VPNs configured on the Edge Routers. If you're wondering "why VPNs at all?", here are the use cases.
Site-to-Site between the office and the colo:
- Access colo servers via RDP for [insert tasks here] -- 2018 goal = see how such management can be done better
- We have a custom application which requires connectivity to our production SQL server, which is accomplished over the site-to-site VPN -- will likely never change :frowning_face:
Remote Access VPN
- Allow external users access to file shares -- 2018 goal = pick a better way of doing this (NextCloud, Sharepoint through Office 365, etc.)
- Access colo servers from home via RDP for [insert tasks here] -- same goal as above about management.
Here's what I did to make stuff work. Perhaps this can be a guide for others, or, as there's probably a better way to do all of this, a "hey don't do it how Eddie did it, but do it [the right way] guide. Note: Network addresses have been changed to protect the innocent.
Office ERL
- Configured lt2p/ipsec remote access VPN using this guide. Rather than using local authentication. I'm using RADIUS (Network Policy Server). Address pool comes from the 192.168.1.0/24 network.
- Using the GUI, I set-up a site-to-site VPN with our colo. To allow traffic from the remote access VPN to travel over the site-to-site VPN I have two subnet pairs configured:
-- Local subnet: 192.168.2.0/24 (office) with remote subnet 192.168.3.0/24 (colo's subnet)
-- Local subnet: 192.168.1.0/24 (remote access VPN address pool) with remote subnet 192.168.3.0/24
Colo ERL
- Configured a site-to-site VPN with the office using the GUI. Above configurations are reversed.
The next challenge was being able to access the colo's ERL from the office. To do this, I had to add a rule to the WAN_LOCAL ruleset on the Colo's ERL, to allow traffic tp TCP 22 and 443 from 192.168.2.0/24. I had to do the same for 192.168.1.0/24.
The final challenge hasn't been solved yet. When connected to the remote access VPN, I can access a file share using \servername\sharename; however, I cannot access the file share using my DFS namespace \domain.com\shares\sharename. I created our DFS namespace a few years ago when I deployed AD, during my dark ages of not truly knowing what I was doing, so the DFS + VPN issue should likely be another thread.
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
The final challenge hasn't been solved yet. When connected to the remote access VPN, I can access a file share using \servername\sharename; however, I cannot access the file share using my DFS namespace \domain.com\shares\sharename. I created our DFS namespace a few years ago when I deployed AD, during my dark ages of not truly knowing what I was doing, so the DFS + VPN issue should likely be another thread.
Likely a DNS issue. How are your VPN users resolving \servername today? Do you have hosts entries? or are you pushing DNS entries along with the IP for the VPN connection?
-
@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
The final challenge hasn't been solved yet. When connected to the remote access VPN, I can access a file share using \servername\sharename; however, I cannot access the file share using my DFS namespace \domain.com\shares\sharename. I created our DFS namespace a few years ago when I deployed AD, during my dark ages of not truly knowing what I was doing, so the DFS + VPN issue should likely be another thread.
Likely a DNS issue. How are your VPN users resolving \servername today? Do you have hosts entries? or are you pushing DNS entries along with the IP for the VPN connection?
They're getting a DNS server along with the IP when they connect on the VPN. That DNS server is our domain controller. On the client computer, I've also configured a DNS suffix on the VPN's network adapter.
-
So what happens when you ping domain.com?
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
The final challenge hasn't been solved yet. When connected to the remote access VPN, I can access a file share using \servername\sharename; however, I cannot access the file share using my DFS namespace \domain.com\shares\sharename. I created our DFS namespace a few years ago when I deployed AD, during my dark ages of not truly knowing what I was doing, so the DFS + VPN issue should likely be another thread.
Likely a DNS issue. How are your VPN users resolving \servername today? Do you have hosts entries? or are you pushing DNS entries along with the IP for the VPN connection?
They're getting a DNS server along with the IP when they connect on the VPN. That DNS server is our domain controller. On the client computer, I've also configured a DNS suffix on the VPN's network adapter.
Could be offline files being enabled because of the slow VPN link. Windows 10?
-
@wirestyle22 That make sense. As this looks like it "resolves"
\\domain.com\shares\pathToFolderRedirection, yet\\domain.com\shares\someOtherSharefails. -
@eddiejennings Control Panel > Sync Center > Manage Offline Files > Disable Offline Files
Test that just to see. You will need to reboot.
-
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings Control Panel > Sync Center > Manage Offline Files > Disable Offline Files
Test that just to see. You will need to reboot.
That seemed to work. Enabling it again prevented me from accessing DFS shares.
-
@dashrender said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
So what happens when you ping domain.com?
Couldn't find a host.
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
The next challenge was being able to access the colo's ERL from the office. To do this, I had to add a rule to the WAN_LOCAL ruleset on the Colo's ERL, to allow traffic tp TCP 22 and 443 from 192.168.2.0/24. I had to do the same for 192.168.1.0/24.
Or you could just allow new from IPSEC packets.
jbusch@jared:~$ show configuration commands firewall | grep "rule 40" set firewall name WAN_LOCAL rule 40 action accept set firewall name WAN_LOCAL rule 40 description 'Allow IPSEC' set firewall name WAN_LOCAL rule 40 ipsec match-ipsec set firewall name WAN_LOCAL rule 40 log disable set firewall name WAN_LOCAL rule 40 protocol all set firewall name WAN_LOCAL rule 40 state established disable set firewall name WAN_LOCAL rule 40 state invalid disable set firewall name WAN_LOCAL rule 40 state new enable set firewall name WAN_LOCAL rule 40 state related disable -
@EddieJennings did you resolve your issue?
-
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
Awesome
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
YOu don't use Offline files though right?
-
It seems odd that performance would be an issue here. When accessing files you want the most live, up to date files, so as long as you have access, you should be getting them from the server.
What am I missing here.
-
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
YOu don't use Offline files though right?
I do. For the internal office people, the main profile folders (Desktop, Documents, etc.) are redirected to network storage. When you have folder redirection, I believe Offline files are enabled by default.
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
YOu don't use Offline files though right?
I do. For the internal office people, the main profile folders (Desktop, Documents, etc.) are redirected to network storage. When you have folder redirection, I believe Offline files are enabled by default.
They are, but they don't have to be.
-
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
YOu don't use Offline files though right?
I do. For the internal office people, the main profile folders (Desktop, Documents, etc.) are redirected to network storage. When you have folder redirection, I believe Offline files are enabled by default.
Okay, but you don't have to have Offline files enabled, do you have users coming in and out with laptops from officess?
-
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
YOu don't use Offline files though right?
I do. For the internal office people, the main profile folders (Desktop, Documents, etc.) are redirected to network storage. When you have folder redirection, I believe Offline files are enabled by default.
Okay, but you don't have to have Offline files enabled, do you have users coming in and out with laptops from officess?
Yes, me.
The folks who have laptops and occasionally come into the office, don't have folder redirection enabled. I'm the only person who would be affected by this; thus, I think my work around will just be using UNC paths if I need to get to file shares when I'm at home and connected to the VPN. -
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@dbeato said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@eddiejennings said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@wirestyle22 said in Passing traffic between a remote access VPN and Site-to-site VPN on an Edge Router Lite:
@EddieJennings did you resolve your issue?
Most likely so. It appears that offline files is the clue I needed. I can do some more testing tomorrow.
YOu don't use Offline files though right?
I do. For the internal office people, the main profile folders (Desktop, Documents, etc.) are redirected to network storage. When you have folder redirection, I believe Offline files are enabled by default.
Okay, but you don't have to have Offline files enabled, do you have users coming in and out with laptops from officess?
Yes, me.
The folks who have laptops and occasionally come into the office, don't have folder redirection enabled. I'm the only person who would be affected by this; thus, I think my work around will just be using UNC paths if I need to get to file shares when I'm at home and connected to the VPN.Now you've lost me. I didn't really understand your earlier thing either between the two different UNCs you posted - can you expand up on that?
