Three-Sides Communication through VPN

It is common that a company has a headquarter and few branches locate at different places. The network administrator can establish a VPN tunnel between hear quarter and each branch, so the employees on the branch site can access the service and resource in headquarter. The network administrator can also establish the VPN tunnel between the branch sites, so the employee can access to each other on the different branches. However, this is only an easy job for network administrator when there are only a few branches.

Let do some simple calculations, how many VPN tunnels should network administrator constructs, in order to let the employees access each site's service and resource? If there are three sites, the network administrator will need to construct three tunnels; if there are four sites, they will need six tunnels. Five sites, ten tunnels. If we have n sites, then we will need Ʃ(n-1) tunnels. It will become not an easy job for the network administrator to handle this amount of VPN tunnels.

To make the task easier, the network administrator can construct the VPN tunnels between each branch and headquarter, then let the headquarter forward the traffic from one branch to another. So, the network administrator will only need to construct and maintain lesser VPN tunnels which the amount is as same as the branch offices.

This article introduces how to create a LAN to LAN multiple VPN clients using IPSec, and to let the branch offices communicate with each other through Following is the scenario.


Vigor Router in headquarter will be the VPN server (dial-in site), both Vigor Routers in the branch office will be the VPN clients (dial-out sites).

VPN configuration on Vigor Router in HQ

Go to VPN and Remote Access >> IPsec General Setup, and enter the PSK (PreShared Key)

Configuration on HQ VPN server for Branch_2960

Go to VPN and Remote Access >> LAN to LAN, and click an available index

In Common Settings:

  1. Check Enable this profile.
  2. Select Call Direction as "Dial-In".

In Dial-In Settings:

      3. Select the IPSec Tunnel service.

In TCP/IP Network Settings:

      4. Enter the LAN IP and Subnet Mask of the remote side in Remote Network IP and Mask.

Configuration on HQ VPN server for Branch_2860

Similar to configuration for branch_2960, only need to change remote network to LAN of Vigor2860.

VPN configuration on Branch_2960

Go to VPN and Remote Access >> VPN Profiles.

  1. Click Add to create a new IPsec VPN Profile.
  2. Enable the profile and set the name
  3. Input Vigor2960's LAN IP and Subnet Mask as Local IP/ Subnet Mask.
  4. Input the WAN IP/Domain of VPN server as Remote Host.
  5. Input the LAN IP and Subnet Mask of VPN server as Remote IP/Subnet Mask.
  6. Input the LAN IP and Subnet Mask of Branch_2860 in More Remote Subnet.
  7. Input the Preshared Key.

VPN configuration on Branch_2860

Go to VPN and Remote Access >> LAN to LAN, and click an available index

In Common Settings:

  1. Check Enable this profile.
  2. Select Call Direction as "Dial-Out".

In Dial-Out Settings:

  1. Select the IPSec Tunnel service.
  2. Set the Server's WAN IP/Domain of the remote side.
  3. Click "IKE Pre-Shared Key" and enter the preshared key.
 

In TCP/IP Network Settings:

  1. Enter the LAN IP of the remote site in Remote Network IP
  2. The "More Route" function allows more connections with other branch offices through the VPN server in head quarter. To activate it, please click "More" and follow the setting below.
    1. Set the LAN IP address and Subnet Mask of the other branch office.
    2. Click Add to add it to the Remote Network.

Once the IPSec tunnel is established between all three devices, you can check the tunnel status under Connection Management of each device. You can also use the Ping Tool under Diagnostics to check if you can ping the remote site.

Now the branch offices should be able to reach mutually through the Vigor router in head quarter.
Ping from Branch_2960 to Branch_2860

Ping from Branch_2860 to Branch_2960:

Published On:2017-05-09 

Was this helpful?