[VPN] Deploying VPN over WAN/Internet

Chris Gripp cgripp at automotive.com
Thu Nov 14 12:03:40 EST 2002


Your assumption is correct.  The packet would need to be:

encrypted at origin---deencrypted@HQ---encrypted at HQ---dencrypted@finaldestination

Most of the hardware VPN appliances like netscreen and sonicwall have made accommodations for this scenario.  You may see it referred to as tunnel cascading or some other term.  It is essentially the same as transitive trusts in NT/W2K lingo, if you are familiar with those.  If A can reach B and B can reach C then A can reach C.  To get it to work correctly there are usually a few steps involved the most important of which is typically assigning appropriate IP space per location so that the VPN routing engine can "cascade" the tunnels.  If you already have a platform selected for the VPN it may help the list give you more specific information about your solution.


Christopher S. Gripp
Sr. Network Engineer
Automotive.com

-----Original Message-----
From: Max Ho [mailto:maxhofw at earthlink.net]
Sent: Tuesday, November 12, 2002 8:54 PM
To: vpn at lists.shmoo.com
Subject: [VPN] Deploying VPN over WAN/Internet


I am looking for help with deploying VPN on a private WAN that connects
20+ sites (The carrier is considered non HIPAA compliant). Only one of
these sites have Internet access (i.e. @HQ).  I can't figure out how VPN

connections from the Internet can get to a non-HQ site without having
the
packet decrypted at HQ and re-encrypted to go over the WAN to the non-HQ

site.


|------------Encrypted---------|-----Decrypted-----|--------Encrypted-------|

VPN
client----Internet----FW/VPN---HQ---FW/VPN-----WAN-----FW/VPN---Remote
Site

If there were previous threads on the list that discuss this
scenario, please point me to the approximate month/year.   Thanks.






_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.





More information about the VPN mailing list