VPN Routing Help
#1
Scooby Regular
Thread Starter
We've got a Linux-based VPN configured between two offices. The VPN works fine and I can ping hosts directly connected to the firewall/VPN servers on both remote offices.
At this remote office we have a basic single subnet, but at the other office we have an internal router that splits the network into 3 seperate ones.
From the other office I can ping all my hosts, but when I try to ping the remote networks the tracert shows them bypassing the VPN tunnel and heading out across the Internet.
I'll try and stick up a diagram to show what I'm meaning.
Stefan
At this remote office we have a basic single subnet, but at the other office we have an internal router that splits the network into 3 seperate ones.
From the other office I can ping all my hosts, but when I try to ping the remote networks the tracert shows them bypassing the VPN tunnel and heading out across the Internet.
I'll try and stick up a diagram to show what I'm meaning.
Stefan
#2
You need to edit the routing tables to send the packets you want to certain addresses down the VPN,ie from a dos prompt/bat file
route add 15.0.0.0 MASK 255.0.0.0 16.45.161.99 METRIC 1
route add 15.0.0.0 MASK 255.0.0.0 16.45.161.99 METRIC 1
#3
Scooby Regular
Thread Starter
Yeah, I understand the routes but they don't seem to be working.
These are the routes I've created:-
network subnet gateway
192.168.52.0 255.255.255.0 192.168.10.1
192.168.54.0 255.255.255.0 192.168.52.1
192.168.56.0 255.255.255.0 192.168.52.1
Under the VPN configuration, you tell it the left/right IP addresses (i.e. both public IP addresses) and the left/right subnets you connect too.
If I tracert 192.168.52.1, it disappears up the VPN tunnel. If I tracert and other subnet is goes out across the net.
It works fine from the other direction (networks shown on right-side of diagram).
Stefan
#4
Scooby Regular
Are all the networks listed in the Security Association. You shouldn't need to add static routes if the VPN devices are you default gateways at each site.
I would guess that your extra networks arn't listed in the far ends SA.
I would guess that your extra networks arn't listed in the far ends SA.
#5
Scooby Regular
Thread Starter
Jeff, not sure what you mean by that
It's Trustix Firewall 3.0 we're using here. Don't ask why they didn't stick with a mainstream version
On the VPN GUI, you simply create a VPN gateway. You are asked for a description, the remote (public) IP address, their subnet, your own subnet and finally the shared secret.
I can't see anywhere to stick details of the other two subnets.
I did try to create a couple more connections, but that didn't work.
Stefan
It's Trustix Firewall 3.0 we're using here. Don't ask why they didn't stick with a mainstream version
On the VPN GUI, you simply create a VPN gateway. You are asked for a description, the remote (public) IP address, their subnet, your own subnet and finally the shared secret.
I can't see anywhere to stick details of the other two subnets.
I did try to create a couple more connections, but that didn't work.
Stefan
#6
Scooby Regular
You probable need to repeat the process for all the subnets ie
Firewall 192.168.10.1 will need
VPN SA for 192.168.52.x
VPN SA for 192.168.54.x
VPN SA for 192.168.56.x
Using all the same details except the destination Network. You will also need to remove the static routes that you have added as this will confuse the box.
Firewall 192.168.52.2 will need
VPN SA for 192.168.10.x
& static routes to
192.168.54.x
192.168.56.x
Router 192.168.52.1 needs
a default gateway of 192.168.52.2
Does that make any more sense ????
Jeff
Firewall 192.168.10.1 will need
VPN SA for 192.168.52.x
VPN SA for 192.168.54.x
VPN SA for 192.168.56.x
Using all the same details except the destination Network. You will also need to remove the static routes that you have added as this will confuse the box.
Firewall 192.168.52.2 will need
VPN SA for 192.168.10.x
& static routes to
192.168.54.x
192.168.56.x
Router 192.168.52.1 needs
a default gateway of 192.168.52.2
Does that make any more sense ????
Jeff
#7
Scooby Regular
Thread Starter
Yes, that makes sense apart from the multiple SA's. There's two parts on the GUI that you can create these.
1) on the main config screen, but this would need 3 seperate VPN tunnels or
2) you create a signle VPN gateway and tunnel, then define the 3 seperate subnets within that.
I'll try both and see how I get on.
It's just routing from the left network that's not working. I can ping the left network from any machine on the right.
Stefan
1) on the main config screen, but this would need 3 seperate VPN tunnels or
2) you create a signle VPN gateway and tunnel, then define the 3 seperate subnets within that.
I'll try both and see how I get on.
It's just routing from the left network that's not working. I can ping the left network from any machine on the right.
Stefan
Trending Topics
#10
Scooby Regular
Thread Starter
No, not yet.
Tried adding the 3 seperate VPN tunnels, but that didn't work. I'm trying to get hold of the techie that gave me some training on it a while back to see what I'm doing wrong.
Thanks for all your help so far Jeff.
Stefan
Tried adding the 3 seperate VPN tunnels, but that didn't work. I'm trying to get hold of the techie that gave me some training on it a while back to see what I'm doing wrong.
Thanks for all your help so far Jeff.
Stefan
Thread
Thread Starter
Forum
Replies
Last Post