Introduction
This post is going to be a high level over view of having multiple sites all connecting back to a central office or hosted server in a data center using IPSEC VPN.
Before starting make sure you have a IPSEC VPN tunnel up to the office or data center and validate connection both to and from the sites with pings, Please note this post assumes you know how to create IPSEC VPN’s and are fairly confident with network technologies.
Example Topology layout
For this post i am going to have a hosted server in a datacenter and have 3 routers connect to it via IPSEC and relay a subnet to the local network.
Server address 85.123.123.10 / 255.255.255.192 or 85.123.123.10/26
Site A 192.168.0.0/26
network mask 192.168.0.0
router IP 192.168.0.1
Broadcast 192.168.0.63
Range 192.168.0.2-192.168.0.62
subnet mask 255.255.255.192
Site B 192.168.0.65/26
network mask 192.168.0.64
router IP 192.168.0.65
Broadcast 192.168.0.127
Range 192.168.0.66-192.168.0.126
subnet mask 255.255.255.192
Site C 192.168.0.129/26
network mask 192.168.0.128
router IP 192.168.0.129
Broadcast 192.168.0.191
Range 192.168.0.130-192.168.0.190
subnet mask 255.255.255.192
Router Configuration
On each router enter DSL/Cable settings and make sure you can connect to the internet via pinging an IP address like 8.8.8.8 or if its a private line and does not touch the internet make sure you can ping something else on the network.
Make sure the IPSEC vpn is in place and you have some traffic going up to the server and rest of the WAN.
Next turn DHCP on the router off, turn on DHCP relaying and enter the server address, in our example 85.123.123.10, on the lan tab make sure relaying is enabled and give the router the router LAN ip from above IE for site one it would be 192.168.0.1/26.
Do the above for all routers in the WAN and restart them all.
Server Configuration
In this example i am consentrating on Centos 5.5 with DHCPd installed, but the steps on windows will differ but ultimately produce the same results.
Make sure DHCPd is installed “yum install -y dhcpd”
Open up the dhcpd.conf file and edit it acordingly, in my example i have some classes for some phones, snoms and polycoms, but you can use this as a template for your WAN if needed.
# Global Configuration Stuff
ddns-update-style interim;
ignore client-updates;
option tftp-server-name "85.123.123.10";
option domain-name-servers 85.123.123.10;
option ntp-servers 85.123.123.10;
Class "Snom" {
match if substring(hardware, 1, 3) = 00:04:13;
option tftp-server-name "85.123.123.10";
option bootfile-name "snom320.htm";
}
Class "Polycom" {
match if substring(hardware, 1, 3) = 00:04:20;
option tftp-server-name "85.123.123.10";
}
# Data Center Subnet 85.123.123.0/26 : DHCP Relay Server + TFTP = 85.123.123.10
subnet 85.123.123.0 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 85.123.123.63;
}
# Site A
subnet 192.168.0.0 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 192.168.0.63;
option routers 192.168.0.1;
Range 192.168.0.2 192.168.0.62;
default-lease-time 21600;
max-lease-time 43200;
}
# Site B
subnet 192.168.0.64 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 192.168.0.127;
option routers 192.168.0.65;
Range 192.168.0.66 192.168.0.126;
default-lease-time 21600;
max-lease-time 43200;
}
# Site C
subnet 192.168.0.129 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 192.168.0.191;
option routers 192.168.0.129;
Range 192.168.0.130 192.168.0.190;
default-lease-time 21600;
max-lease-time 43200;
}
Once you have a configuration that you are happy with save the file and restart dhcpd “service dhcpd restart” and you should get “OK,OK” from the promt if you get failed take a look at “nano /var/log/messages” and look on the lines that say DHCPd.
Please note that some “options” need to have the value in “”; otherwise you will see errors inthe messages log.
If all is working you should be able to restart all routers and connect phones and laptops to the router and get IP addresses and be able to ping across the WAN.
If you need any help setting something like this up please contact me.