Ondrej Žilinec – IT Blog

When you need to connect two sites with same IP subnet, you need to create Site to Site VPN on Layer 2. It means you need to create non-routing VPN between sites. Let’s assume we have following setup:

We need to make sure, that computer 10.30.31.10 can access computer 10.30.31.20 and vice-versa.

We need to install two linux servers. I love Debian distribution. So I have installled two Debian servers on both sites. Both servers have two interfaces:

ens192 – first interface which is used to connect for SSH. It has IP address and it working interface

ens224 – second interface which is in LAN we want to connect. It acts as TAP interface – like cable put into LAN without IP settings. This interface is only up.

You will make SSH connection from one site to another – it means one server has to be accessible from other site. I published TPC/22 (SSH) port from SITE B on Internet. So I could connect from Debian server from SITE A to SSH on Debian server in SITE B. You need to install following packages on Debian:

uml-utilities
bridge-utils
net-tools

Run following commands on both linux servers:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

and make those settings pernament running command:

sysctl -p

On server which will do SSH server you need to change in SSH config file /etc/ssh/sshd_config following settings:

PermitRootLogin yes
PermitTunnel yes

Now are are ready to make SSH connection between linux servers. You have to run following command on “ssh client” server to make connection on “ssh server” server:

ssh -f -o Tunnel=ethernet -o TunnelDevice=0:0 -w 0:0 root@IP_SSH_SERVER true

This command makes SSH connection between linux servers and it creates special interfaces on both linux servers. These interfaces are called tap0. Now we need to bridge interfaces to make VPN work. We have to run following commands on BOTH servers:

Create bridge interface:

brctl addbr br0

Add “cable” interface ens224 and VPN TAP interface into bridge:

brctl addif br0 tap0
brctl addif br0 ens224

And now put all those interfaces up:

ifconfig ens224 up
ifconfig tap0 up
ifconfig br0 up

Now all connection is set and Site to site VPN works as sharm. I never thought it was that easy to create such a connection.

If you have VMWare, settings needed:

If you have Hyper-V, settings needed:

Enjoy.

Thank all folks,

When I upgraded from ISA 2006 to TMG 2010 I found some special problem. There was HQ with TMG 2010 and one branch with ASA 5505. Between those two location there was Site to Site VPN tunnel created. Everything worked fine, beside one problem. Users in branch couldn’t access anything on TMG server. They couldn’t ping it or do anything with it. They couldn’t browse Internet, because TMG was also web proxy server for them.

Read more…

I wanted to solve one issue. This issue is described in article http://support.microsoft.com/kb/2722729. But there are two problems:

• There is no English version of KB
• Hotfix cannot be downloaded

I found that I’m not the only one with a same problem and here a question on Microsoft forum. Now we can wait for Microsoft engineers.

 

Minule som sa stertol s požiadavkou zákazníka o nejaký spôsob nastavenia L2TP pripojení pre málo zdatných užívateľov.ˇ

Read more…