Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Friberg]

Hello!

I currently have alot of VPN-tunnels using ipsec PSK. I have one 1660 as the central point in the network, and alot of DSR1000N as each node that is supposed to access the 1660 and its networks via VPN.

The problem we have is that each of DSR1000N must have an external static ipadress (we're using dydns-service right now). This is entered into the 1660 as remote endpoint.

We need to be able to connect the DSR1000N to the VPN even if its behind a NATed network, since the fallback solution is 3G network card. And all the 3G SIMs here are behind NATed networks.

Is this possible?
Each DSR1000N has a local network behind it, that needs to be routed by the DFL-1660 when they connect.


Does anyone know what to do?
If you need a log or config i can provide this as long as you tell me where to look

Thank you!

/Friberg

[danilovav]

In case your NATs are static (you know external IPs) it is possible - enable NAT-T, on DSR side use external IP as ID
In case you don't know IP... On DFL side, remove endpoint will be all-nets (dynamic IPsec). You can use something like email as ID, but it's just for one tunnel and if you don't have other dynamic IPsec tunnel
I've heard (but never tested yet) to use multiple dynamic tunnels, you need to use certificates for authority

Opposite solution for dynamic nodes can be OpenVPN - DSR supports it
It uses just TCP or UDP and have no any problem with NAT
You can not terminate OVPN by DFL, but you can use software solution - it can run under Linux, Windows, also avaliable on a lot of hardware platforms. Also, you can install DSR behind central DFL to terminate OVPN

I use such schema and it's working good. But, i never used DSR, all devices are DFL or Linux based (ex, DD-WRT)

[chechito]

maybe a L2TP implementation can be a solution for that scenario