Need help with Site to Site

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
DrUnleavened
Posts: 7
Joined: Thu Jan 10, 2019 1:07 pm

Need help with Site to Site

Post by DrUnleavened » Sat Jan 26, 2019 5:24 pm

Hello.

We are setting up a site to site VPN server. We have two different LANs at two different places. One of our networks, the "HQ" has a router with built in DHCP, which can be disabled. Same on the other network. The HQ's DHCP server is configured to give out IP addresses on the subnet 192.168.1.0/24 while the remote location's configured to have the subnet 192.168.0.0/24. Please note, that so far this is all without the VPN bridge/server. The goal is to be able to access all the devices on one location from the other, on the same IP address as they are in the real location, without the need of installing the VPN client.

After adding the VPN bridge on the remote location and adding the VPN server in HQ, we have followed the documentation on creating a site to site VPN. Unfortunately, IP routing doesn't work for us, as the router in the HQ doesn't support IP forwarding, and we are stuck with that router. So we have opted for the second method, that is using the L2 Bridge, however we are unsuccessful, and by that I mean that the site to site is not working. How it's not working? Well, if I type the IP address of a device on the remote network in the browser of a device in the HQ, it won't show up the website running on the remote device.

So the current setup is the following:
- VPN server (in the HQ) has two virtual hubs: HQ and Remote.
- The VPN bridge (in the remote location) has also a virtual hub, which is cascade connecting to the Remote virtual hub on the VPN server.
- The virtual hub on the VPN bridge (in the remote location) has a local bridge set up to the physical network it's inside.
- The HQ virtual hub on the VPN server (in the HQ) has a local bridge set up to the HQ's physical network.
- On the VPN server, there is a Layer 3 Switch which has two different virtual interfaces set up in the following way:
IP address / Subnet Mask / Virtual Hub Name
192.168.0.254 / 255.255.255.0 / Remote
192.168.1.254 / 255.255.255.0 / HQ

What I suspect the issue is, is that instead of two virtual hubs on the server - one for the Remote, one for the HQ - we would only need one, and both the VPN bridge should be cascade connecting to it, and the local bridge to the HQ's network should be on it as well. Is this correct? We have set up the two virtual hubs on the server back when we tried the IP routing method, which we realized wouldn't work on our router.

Another question that pops up, is that if it would work on the one virtual hub, and the two networks would be connected there would be two DHCP servers running. One on the remote location, and one in the HQ - would they not conflict due to them assigning IPs to two different subnets, or would they conflict, in this case if I disable one of them, the other would be assigning IPs to all devices on both physical LANs on the same subnet. I have seen that there is a DHCP function on the VPN server under the SecureNAT section. Would I need to disable the DHCP servers on both routers and enable it on the VPN server in order to achieve having two different subnets for the two physical LANs?

Thank you.

centeredki69
Posts: 212
Joined: Wed Sep 18, 2013 1:49 pm

Re: Need help with Site to Site

Post by centeredki69 » Tue Jan 29, 2019 11:35 pm

Hello DR,
Would it be possible to alter one of the IP address ranges at one of the locations to match the other? Meaning they would both be on
192.168.0.0/24 or 192.168.1.0/24 at each location. If so this is by far the easiest way to utilize the cascade/ L2 bridge connection.
If not you will need to set up static routes on the routers and utilize the Layer 3 switch in SE.

How many clients are at each location ?
You could run a DHCP servers at each location using the same subnet but setting the servers to issue different ranges at each location.

HQ = would issue 192.168.1.1 - 192.168.1.99
Remote = would issue 192.168.1.100 - 192.168.1.254

Both location could then communicate without overlapping (duplicate IP address conflicts) as the DHCP packets can be filtered in a few different places in SE. Preventing DHCP packets from going though the cascade connection.

I have used this setup for over 5 years with success.

DrUnleavened
Posts: 7
Joined: Thu Jan 10, 2019 1:07 pm

Re: Need help with Site to Site

Post by DrUnleavened » Fri Feb 08, 2019 7:35 pm

Hello, thanks for the reply. It isn't a nice solution, but I guess this is our only choice then, because our router (at least one of the two) doesn't support IP routing. Is there any chance I could use the DHCP server in the SecureNAT in the SoftEther VPN server if I disable the router's DHCP to achieve two different subnets?

thisjun
Posts: 2454
Joined: Mon Feb 24, 2014 11:03 am

Re: Need help with Site to Site

Post by thisjun » Thu Mar 28, 2019 7:33 am

As the first, L2 setup and L3 setup are different. Do you talk about L2 or L3?

L2 setup:
- You don't need to configure routing.
This setup method is explained by centeredki69.


L3 setup:
- You don't need to change the IP range of HQ or remote site.
- You have to choose a routing method. (There are few options)
Please choose the routing method from below.
- Using push route routing
 Some host doesn't support DHCP option.

- Using router routing
You wrote that your router doesn't support editing route table. Right?

- Using virtual L3 switch as a default gateway
You have to configure the DHCP and virtual L3 settings.

Post Reply