We have employees using VPNs on Netgear routers to access the office. We also have VPNs set up so we can access some clients and our remotely hosted servers.
Where the system falls down is that our remote workers cannot access the client networks. I'm assuming I have to configure their local routers to use a static route through our office to get to them, but I can't work it out.
Is what I'm trying even possible? Or will the VPN end point reject the packets anyway?
Example:
Home (192.168.1.nn) ---> Work (192.168.2.nn) --> Remote Server (10.0.1.1)
There are hardware VPNs in place between Home and Work and between Work and Remote
How can I configure a route so that access to Remote is possible from Home. Will I need to re-configure the VPN between Work and Remote, or will it Just Work?
Thanks.
The answer is, it depends. I presume it is easy to set up the Home -> Work VPN with routes describing all the Remote networks. The missing part is that all the Remote networks (or more specifically, their default routers) all need to know that to get back to your Home network they need to use the Work -> Remote VPN.
That said, I wouldn't necessarily do that -- you may be opening up a hole that would permit Remote1 to poke around Remote2. Examine your ACLs carefully.
From the looks of things, you will need to make changes to both VPNs.
On the Home <--> Work VPN, you will need to make sure that all your remote networks are routeable from your home worker VPN clients.
There are two options for this:
Send specific routes for all of your remote networks as part of the VPN client configuration. This could be quite configuration intensive if your client/remote server VPNs are spread across lots of different address blocks.
Configure your home worker VPN clients to use their tunnel interface as their default route. This is a lot simpler from a configuration management point of view, but it will force all traffic from the VPN clients through the office, including their browsing traffic, which may not be desirable.
Could you be a little more specific when you say your home users use hardware VPNs? Do you provide a VPN appliance that they plug into their home broadband, and then plug their laptops in behind the VPN end point? If that's the case, then the above probably won't be needed, as the home VPN client's default route will point back to the office.
On the Work <--> Remote Server|Client Site VPNs, you will need to advertise routes for all of your 'Home VPN' address ranges. (from your example above, 192.168.1.0/24). How do you currently exchange routes with your clients and remote service sites?